CVE-2022-50675
Description
In the Linux kernel, the following vulnerability has been resolved:
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently setting PG_mte_tagged on an untagged page.
The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PG_mte_tagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN.
This issue was masked by the page_kasan_tag_reset() call introduced in commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIG_KASAN_HW_TAGS=y):
BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2]
Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual place where tags are cleared (mte_sync_page_tags()) or restored (mte_restore_tags()).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel flaw in arm64 MTE where PG_mte_tagged was set on pages without tag clearing/restore, causing KASAN access faults.
Root
Cause
In the Linux kernel, the arm64 Memory Tagging Extension (MTE) code had a bug where PG_mte_tagged was set in mte_sync_tags() even when no tags were actually cleared or restored [1]. Prior to commit 69e3b846d8a7, mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE), making the flag setting safe [1]. However, a subsequent commit required that guests may enable MTE without stage-2 control, causing any page with a swap-like PTE to get PG_mte_tagged set automatically [1].
Exploitation
An attacker can trigger this without authentication by exploiting memory operations such as page migration [1]. When tags were owned by KASAN (Kernel Address Sanitizer), a page copy would transfer tags to the destination page even when the tags should not have been applied [1]. This was previously masked by page_kasan_tag_reset() which was later reverted, exposing the fault [1].
Impact
KASAN reports invalid access faults due to tag mismatch between pointer and memory tags [1]. For example, a read at address f5ff000017f2e000 with pointer tag [f5] but memory tag [f2] caused a crash in copy_page() [1]. This can lead to system instability or denial of service.
Mitigation
The fix moves PG_mte_tagged setting from mte_sync_tags() to the actual locations where tags are cleared (mte_sync_page_tags()) or restored (mte_restore_tags()) [1]. The patch is available in the stable kernel tree as commit 918002bdbe4 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
3918002bdbe43749e9fc18b1ea8e5e5146ad0Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.