{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49828", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.228Z", "datePublished": "2025-05-01T14:09:47.443Z", "dateUpdated": "2026-05-11T19:07:33.531Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:07:33.531Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: don't delete error page from pagecache\n\nThis change is very similar to the change that was made for shmem [1], and\nit solves the same problem but for HugeTLBFS instead.\n\nCurrently, when poison is found in a HugeTLB page, the page is removed\nfrom the page cache. That means that attempting to map or read that\nhugepage in the future will result in a new hugepage being allocated\ninstead of notifying the user that the page was poisoned. As [1] states,\nthis is effectively memory corruption.\n\nThe fix is to leave the page in the page cache. If the user attempts to\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\nEIO, the same error code that shmem uses. For attempts to map the page,\nthe thread will get a BUS_MCEERR_AR SIGBUS.\n\n[1]: commit a76054266661 (\"mm: shmem: don't truncate page if memory failure happens\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/hugetlbfs/inode.c", "mm/hugetlb.c", "mm/memory-failure.c"], "versions": [{"version": "78bb920344b8a6f04b79a7c254041723b931c94f", "lessThan": "30571f28bb35c826219971c63bcf60d2517112ed", "status": "affected", "versionType": "git"}, {"version": "78bb920344b8a6f04b79a7c254041723b931c94f", "lessThan": "ec667443b2dbc6cdbbac4073e51a17733158ec6a", "status": "affected", "versionType": "git"}, {"version": "78bb920344b8a6f04b79a7c254041723b931c94f", "lessThan": "8625147cafaa9ba74713d682f5185eb62cb2aedb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/hugetlbfs/inode.c", "mm/hugetlb.c", "mm/memory-failure.c"], "versions": [{"version": "4.13", "status": "affected"}, {"version": "0", "lessThan": "4.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.80", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.10", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "5.15.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/30571f28bb35c826219971c63bcf60d2517112ed"}, {"url": "https://git.kernel.org/stable/c/ec667443b2dbc6cdbbac4073e51a17733158ec6a"}, {"url": "https://git.kernel.org/stable/c/8625147cafaa9ba74713d682f5185eb62cb2aedb"}], "title": "hugetlbfs: don't delete error page from pagecache", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15DB3C25-553E-4AFA-AD20-45C84054F9CD", "versionEndExcluding": "5.15.80", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "64F9ADD1-3ADB-4D66-A00F-4A83010B05F0", "versionEndExcluding": "6.0.10", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: don't delete error page from pagecache\n\nThis change is very similar to the change that was made for shmem [1], and\nit solves the same problem but for HugeTLBFS instead.\n\nCurrently, when poison is found in a HugeTLB page, the page is removed\nfrom the page cache. That means that attempting to map or read that\nhugepage in the future will result in a new hugepage being allocated\ninstead of notifying the user that the page was poisoned. As [1] states,\nthis is effectively memory corruption.\n\nThe fix is to leave the page in the page cache. If the user attempts to\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\nEIO, the same error code that shmem uses. For attempts to map the page,\nthe thread will get a BUS_MCEERR_AR SIGBUS.\n\n[1]: commit a76054266661 (\"mm: shmem: don't truncate page if memory failure happens\")"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hugetlbfs: no elimine la p\u00e1gina de error de la cach\u00e9 de p\u00e1ginas Este cambio es muy similar al cambio que se realiz\u00f3 para shmem [1] y resuelve el mismo problema, pero para HugeTLBFS. Actualmente, cuando se encuentra veneno en una p\u00e1gina HugeTLB, la p\u00e1gina se elimina de la cach\u00e9 de p\u00e1ginas. Eso significa que intentar mapear o leer esa p\u00e1gina enorme en el futuro dar\u00e1 como resultado que se asigne una nueva p\u00e1gina enorme en lugar de notificar al usuario que la p\u00e1gina fue envenenada. Como indica [1], esto es efectivamente corrupci\u00f3n de memoria. La soluci\u00f3n es dejar la p\u00e1gina en la cach\u00e9 de p\u00e1ginas. Si el usuario intenta usar una p\u00e1gina HugeTLB envenenada con una llamada al sistema, la llamada al sistema fallar\u00e1 con EIO, el mismo c\u00f3digo de error que usa shmem. Para los intentos de mapear la p\u00e1gina, el hilo obtendr\u00e1 un SIGBUS BUS_MCEERR_AR. [1]: commit a76054266661 (\"mm: shmem: no truncar la p\u00e1gina si se produce un fallo de memoria\")"}], "id": "CVE-2022-49828", "lastModified": "2025-11-10T20:10:01.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T15:16:06.260", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/30571f28bb35c826219971c63bcf60d2517112ed"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8625147cafaa9ba74713d682f5185eb62cb2aedb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ec667443b2dbc6cdbbac4073e51a17733158ec6a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: hugetlbfs: don't delete error page from pagecache", "id": "2363504", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363504"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nhugetlbfs: don't delete error page from pagecache\nThis change is very similar to the change that was made for shmem [1], and\nit solves the same problem but for HugeTLBFS instead.\nCurrently, when poison is found in a HugeTLB page, the page is removed\nfrom the page cache. That means that attempting to map or read that\nhugepage in the future will result in a new hugepage being allocated\ninstead of notifying the user that the page was poisoned. As [1] states,\nthis is effectively memory corruption.\nThe fix is to leave the page in the page cache. If the user attempts to\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\nEIO, the same error code that shmem uses. For attempts to map the page,\nthe thread will get a BUS_MCEERR_AR SIGBUS.\n[1]: commit a76054266661 (\"mm: shmem: don't truncate page if memory failure happens\")"], "name": "CVE-2022-49828", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49828\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49828\nhttps://lore.kernel.org/linux-cve-announce/2025050136-CVE-2022-49828-7143@gregkh/T"], "threat_severity": "Moderate"}

{}