{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49554", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.590Z", "datePublished": "2025-02-26T02:14:02.649Z", "dateUpdated": "2025-05-04T08:40:26.141Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:40:26.141Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: fix races between asynchronous zspage free and page migration\n\nThe asynchronous zspage free worker tries to lock a zspage's entire page\nlist without defending against page migration. Since pages which haven't\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\n\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there's a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage's pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\n\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/zsmalloc.c"], "versions": [{"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "3674d8a8dadd03a447dd21069d4dacfc3399b63b", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "645996efc2ae391246d595832aaa6f9d3cc338c7", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "fc658c083904427abbf8f18280d517ee2668677c", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "fae05b2314b147a78fbed1dc4c645d9a66313758", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "3ec459c8810e658401be428d3168eacfc380bdd0", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "8ba7b7c1dad1f6503c541778f31b33f7f62eb966", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "c5402fb5f71f1a725f1e55d9c6799c0c7bec308f", "status": "affected", "versionType": "git"}, {"version": "77ff465799c60294e248000cd22ae8171da3304c", "lessThan": "2505a981114dcb715f8977b8433f7540854851d8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/zsmalloc.c"], "versions": [{"version": "4.14", "status": "affected"}, {"version": "0", "lessThan": "4.14", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.282", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.246", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.197", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.120", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.45", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.13", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.2", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.14.282"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.19.246"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.4.197"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.10.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.15.45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.17.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.18.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b"}, {"url": "https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7"}, {"url": "https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c"}, {"url": "https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758"}, {"url": "https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0"}, {"url": "https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966"}, {"url": "https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f"}, {"url": "https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8"}], "title": "zsmalloc: fix races between asynchronous zspage free and page migration", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D697ED37-2BFA-4A75-9665-BBC0B0BE0FC1", "versionEndExcluding": "4.14.282", "versionStartIncluding": "4.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEDF30DC-BB12-4C4C-A134-AA5D59D73C0C", "versionEndExcluding": "4.19.246", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7FDD830-741D-44F7-A537-13755A4314DE", "versionEndExcluding": "5.4.197", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "92818976-ECCC-4744-9287-E2CF4B2C4131", "versionEndExcluding": "5.10.120", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "08D699AD-F4CE-4BDD-A97E-4997299C7712", "versionEndExcluding": "5.15.45", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "192FC54B-5367-49D6-B410-0285F14665B1", "versionEndExcluding": "5.17.13", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FF255A1-64F4-4E31-AF44-C92FB8773BA2", "versionEndExcluding": "5.18.2", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: fix races between asynchronous zspage free and page migration\n\nThe asynchronous zspage free worker tries to lock a zspage's entire page\nlist without defending against page migration. Since pages which haven't\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\n\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there's a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage's pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\n\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: zsmalloc: arregla las ejecuciones entre la liberaci\u00f3n asincr\u00f3nica de zspage y la migraci\u00f3n de p\u00e1gina El trabajador de liberaci\u00f3n asincr\u00f3nica de zspage intenta bloquear la lista completa de p\u00e1ginas de una zspage sin defenderse contra la migraci\u00f3n de p\u00e1gina. Dado que las p\u00e1ginas que a\u00fan no se han bloqueado pueden migrar simult\u00e1neamente fuera de la lista de p\u00e1ginas de la zspage mientras lock_zspage() se procesa, lock_zspage() puede sufrir algunas ejecuciones letales diferentes. Puede bloquear una p\u00e1gina que ya no pertenece a la zspage y desreferenciar de forma insegura page_private(), puede desreferenciar de forma insegura un puntero roto a la siguiente p\u00e1gina (ya que hay una ejecuci\u00f3n de datos), y puede observar un puntero NULL espurio a la siguiente p\u00e1gina y, por lo tanto, no bloquear todas las p\u00e1ginas de la zspage (ya que una sola migraci\u00f3n de p\u00e1gina reconstruir\u00e1 la lista de p\u00e1ginas completa, y create_page_chain() pone a cero incondicionalmente cada puntero de lista en el proceso). Corrija las ejecuciones usando migrants_read_lock() en lock_zspage() para sincronizar con la migraci\u00f3n de p\u00e1gina."}], "id": "CVE-2022-49554", "lastModified": "2025-10-22T17:33:36.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:31.223", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: zsmalloc: fix races between asynchronous zspage free and page migration", "id": "2347997", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347997"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nzsmalloc: fix races between asynchronous zspage free and page migration\nThe asynchronous zspage free worker tries to lock a zspage's entire page\nlist without defending against page migration. Since pages which haven't\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there's a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage's pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration."], "name": "CVE-2022-49554", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49554\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49554\nhttps://lore.kernel.org/linux-cve-announce/2025022616-CVE-2022-49554-bd02@gregkh/T"], "threat_severity": "Low"}

{"created": "2025-07-12T22:16:24.930409+00:00", "updated": "2025-07-12T22:16:24.930459+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}