CVE-2022-50323 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
net: do not sense pfmemalloc status in skb_append_pagefrags()
skb_append_pagefrags() is used by af_unix and udp sendpage() implementation so far.
In commit 326140063946 ("tcp: TX zerocopy should not sense pfmemalloc status") we explained why we should not sense pfmemalloc status for pages owned by user space.
We should also use skb_fill_page_desc_noacc() in skb_append_pagefrags() to avoid following KCSAN report:
BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags
write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0: __list_add include/linux/list.h:73 [inline]
list_add include/linux/list.h:88 [inline]
lruvec_add_folio include/linux/mm_inline.h:323 [inline]
lru_add_fn+0x327/0x410 mm/swap.c:228 folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246 lru_add_drain_cpu+0x73/0x250 mm/swap.c:669 lru_add_drain+0x21/0x60 mm/swap.c:773 free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:256 [inline]
tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263 tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363 exit_mmap+0x190/0x4d0 mm/mmap.c:3098 __mmput+0x27/0x1b0 kernel/fork.c:1185 mmput+0x3d/0x50 kernel/fork.c:1207 copy_process+0x19fc/0x2100 kernel/fork.c:2518 kernel_clone+0x166/0x550 kernel/fork.c:2671 __do_sys_clone kernel/fork.c:2812 [inline]
__se_sys_clone kernel/fork.c:2796 [inline]
__x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1: page_is_pfmemalloc include/linux/mm.h:1817 [inline]
__skb_fill_page_desc include/linux/skbuff.h:2432 [inline]
skb_fill_page_desc include/linux/skbuff.h:2453 [inline]
skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974 unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338 kernel_sendpage+0x184/0x300 net/socket.c:3561 sock_sendpage+0x5a/0x70 net/socket.c:1054 pipe_to_sendpage+0x128/0x160 fs/splice.c:361 splice_from_pipe_feed fs/splice.c:415 [inline]
__splice_from_pipe+0x222/0x4d0 fs/splice.c:559 splice_from_pipe fs/splice.c:594 [inline]
generic_splice_sendpage+0x89/0xc0 fs/splice.c:743 do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0x80/0xa0 fs/splice.c:931 splice_direct_to_actor+0x305/0x620 fs/splice.c:886 do_splice_direct+0xfb/0x180 fs/splice.c:974 do_sendfile+0x3bf/0x910 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x0000000000000000 -> 0xffffea00058fc188
Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability CVE-2022-50323 addresses a concurrency issue within the Linux kernel's networking subsystem specifically in the skb_append_pagefrags() function. This function serves as a critical component in the implementation of af_unix and udp sendpage() operations, handling the appending of page fragments to socket buffers. The flaw manifests as a data race condition that occurs when multiple kernel threads attempt to access and modify the same memory location simultaneously, leading to potential memory corruption and system instability. The root cause stems from improper handling of pfmemalloc status checks during page fragment operations, which creates a race condition between memory management operations and socket buffer modifications.
The technical implementation of this vulnerability involves the interaction between kernel concurrency sanitization tools and the memory management subsystem. When KCSAN detects concurrent access to the same memory address at 0xffffea00058fc1c8, it identifies a write operation from task 17319 and a read operation from task 17325 occurring on different CPUs. The write operation originates from lru_add_fn within the mm/swap.c file, while the read occurs in page_is_pfmemalloc function, creating a classic data race scenario. This race condition specifically impacts the page fragment descriptor management within socket buffers, where the pfmemalloc status field gets modified concurrently, causing the system to potentially access corrupted memory locations.
This vulnerability directly impacts the Linux kernel's networking stack reliability and can lead to system crashes, data corruption, or potential privilege escalation scenarios. The operational impact extends beyond simple network connectivity issues as it affects core memory management operations that are fundamental to kernel stability. The race condition can cause the kernel to incorrectly handle memory pages during socket operations, potentially leading to use-after-free conditions or memory corruption that could be exploited by malicious actors. The vulnerability affects systems running kernel versions where the specific commit 326140063946 was not properly implemented, particularly those using af_unix and udp networking protocols heavily. According to CWE classification, this maps to CWE-362, Concurrent Execution using Shared Resource with Unprotected Read-Write Access, and aligns with ATT&CK technique T1059.003 for kernel-level exploitation.
The recommended mitigation strategy involves implementing proper memory access synchronization mechanisms within the skb_append_pagefrags() function by utilizing the skb_fill_page_desc_noacc() function instead of the traditional skb_fill_page_desc(). This change eliminates the problematic pfmemalloc status checks that contribute to the race condition. Additionally, kernel administrators should ensure their systems are updated to versions containing the fix, which typically involves applying the specific patch that addresses the commit mentioned in the vulnerability report. System administrators should also monitor for KCSAN reports and implement proper kernel hardening measures including disabling unnecessary network protocols and implementing memory management policies that reduce concurrency conflicts. The fix fundamentally changes how page fragment descriptors are handled in socket buffer operations, ensuring proper atomicity and memory consistency during concurrent access scenarios.