CVE-2022-49152 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
XArray: Fix xas_create_range() when multi-order entry present
If there is already an entry present that is of order >= XA_CHUNK_SHIFT when we call xas_create_range(), xas_create_range() will misinterpret that entry as a node and dereference xa_node->parent, generally leading to a crash that looks something like this:
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0 RIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline]
RIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725
It's deterministically reproducable once you know what the problem is, but producing it in a live kernel requires khugepaged to hit a race. While the problem has been present since xas_create_range() was introduced, I'm not aware of a way to hit it before the page cache was converted to use multi-index entries.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2025
The vulnerability described in CVE-2022-49152 represents a critical null pointer dereference issue within the Linux kernel's xarray implementation that specifically affects the xas_create_range() function. This flaw exists in the kernel's memory management subsystem and manifests when dealing with multi-order entries in the xarray data structure. The vulnerability stems from incorrect handling of existing entries that are of order greater than or equal to XA_CHUNK_SHIFT, which causes the function to misinterpret these entries as nodes and subsequently attempt to dereference the parent pointer of xa_node structures. The issue is particularly significant because it leads to immediate system crashes with general protection faults, making it a severe stability risk for affected systems.
The technical root cause of this vulnerability lies in the improper state checking within xas_create_range() function where the code fails to properly distinguish between actual node structures and multi-order entries that represent data chunks. When the function encounters an existing entry that spans multiple chunks, it incorrectly treats this as a node structure and attempts to access the parent pointer, which is null for such entries. This misinterpretation results in a null pointer dereference that triggers kernel oops and system crashes. The vulnerability is classified as a null pointer dereference under CWE-476 and represents a classic case of improper input validation and state management in kernel code. The issue is particularly insidious because it occurs during memory management operations involving huge page handling, where the khugepaged kernel thread is responsible for transparent huge page management.
The operational impact of this vulnerability is substantial as it can lead to complete system crashes and potential denial of service conditions in production environments. The crash occurs during page cache operations when the kernel attempts to create ranges for memory management, particularly affecting systems that utilize transparent huge pages and extensive memory management operations. The vulnerability requires specific conditions to be triggered, namely the presence of multi-index entries in the page cache and the timing of khugepaged operations, making it challenging to exploit in controlled environments but still highly dangerous when encountered. The deterministic reproducibility once the conditions are met means that any system running affected kernel versions is at risk during normal operation when memory management activities occur.
Mitigation strategies for this vulnerability require immediate kernel updates to versions that contain the fix for the xarray implementation. The fix implemented addresses the core issue by properly checking entry types before attempting to dereference parent pointers, ensuring that multi-order entries are correctly identified and handled without attempting to access non-existent parent references. System administrators should prioritize applying the relevant kernel security patches as soon as possible, particularly in production environments where the risk of encountering the triggering conditions is high. Organizations should also implement monitoring for system stability and kernel crash reports to detect potential exploitation attempts. From an ATT&CK perspective, this vulnerability could be leveraged as part of a broader attack chain targeting system stability and availability, potentially leading to privilege escalation or persistent access through system disruption. The vulnerability highlights the importance of rigorous input validation in kernel space code and proper handling of data structures that may contain multiple entry types within the same abstraction layer.