{"id":"CVE-2022-50630","summary":"mm: hugetlb: fix UAF in hugetlb_handle_userfault","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: fix UAF in hugetlb_handle_userfault\n\nThe vma_lock and hugetlb_fault_mutex are dropped before handling userfault\nand reacquire them again after handle_userfault(), but reacquire the\nvma_lock could lead to UAF[1,2] due to the following race,\n\nhugetlb_fault\n  hugetlb_no_page\n    /*unlock vma_lock */\n    hugetlb_handle_userfault\n      handle_userfault\n        /* unlock mm-\u003emmap_lock*/\n                                           vm_mmap_pgoff\n                                             do_mmap\n                                               mmap_region\n                                                 munmap_vma_range\n                                                   /* clean old vma */\n        /* lock vma_lock again  \u003c--- UAF */\n    /* unlock vma_lock */\n\nSince the vma_lock will unlock immediately after\nhugetlb_handle_userfault(), let's drop the unneeded lock and unlock in\nhugetlb_handle_userfault() to fix the issue.\n\n[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/\n[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/","modified":"2026-03-20T11:47:33.156462Z","published":"2025-12-08T01:16:45.555Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50630.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33"},{"type":"WEB","url":"https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50630.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50630"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45"},{"fixed":"45c33966759ea1b4040c08dacda99ef623c0ca29"},{"fixed":"0db2efb3bff879566f05341d94c3de00ac95c4cc"},{"fixed":"dd691973f67b2800a97db723b1ff6f07fdcf7f5a"},{"fixed":"78504bcedb2f1bbfb353b4d233c24d641c4dda33"},{"fixed":"958f32ce832ba781ac20e11bb2d12a9352ea28fc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50630.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.11.0"},{"fixed":"5.10.150"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.19.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.20.0"},{"fixed":"6.0.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50630.json"}}],"schema_version":"1.7.5"}