CVE-2022-50630
Description
In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: fix UAF in hugetlb_handle_userfault
The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race,
hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <--- UAF */ /* unlock vma_lock */
Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue.
[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free (UAF) vulnerability in the Linux kernel's hugetlb subsystem occurs when vma_lock is reacquired after handling a userfault, allowing a concurrent munmap to free the VMA.
Root
Cause
In the Linux kernel's hugetlb fault handling path, the function hugetlb_handle_userfault() temporarily drops the VMA lock (vma_lock) and the hugetlb fault mutex before invoking handle_userfault(). After the userfault is handled, the code reacquires the VMA lock. However, during the window when the lock is dropped, a concurrent thread can call `munmap the VMA, freeing the underlying memory. When the lock is reacquired, the kernel accesses freed memory, leading to a use-after-free (UAF) condition [1][2].
Exploitation
An attacker must be able to trigger a hugetlb page fault that results in a userfault, and simultaneously have a thread that can unmap the same VMA (e.g., via munmap). The race window exists between the unlock of vma_lock in hugetlb_handle_userfault() and its reacquisition after handle_userfault() returns. No special privileges are required beyond the ability to map hugetlb pages and trigger userfaults, which is available to unprivileged users in many configurations.
Impact
Successful exploitation of this UAF can allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe cases, arbitrary code execution with kernel privileges. The vulnerability is rated with a CVSS score of 7.8 (High) due to the high impact on confidentiality, integrity, and availability.
Mitigation
The fix, committed as 45c33966759e and 0db2efb3bff8 in the Linux kernel stable tree, removes the unnecessary lock/unlock cycle in hugetlb_handle_userfault(), ensuring the VMA lock is not dropped during the userfault handling. Users should apply the latest kernel updates from their distribution to remediate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
545c33966759e0db2efb3bff8dd691973f67b78504bcedb2f958f32ce832bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4ccnvd
- git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29nvd
- git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33nvd
- git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fcnvd
- git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5anvd
News mentions
0No linked articles in our index yet.