Linux Kernel up to 6.1.10 uffd fork information disclosure

Summaryinfo

A vulnerability identified as problematic has been detected in Linux Kernel up to 6.1.10. Affected by this issue is the function fork of the component uffd. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2022-49744. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.1.10. This issue affects the function fork of the component uffd. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: mm/uffd: fix pte marker when fork() without fork event Patch series "mm: Fixes on pte markers". Patch 1 resolves the syzkiller report from Pengfei. Patch 2 further harden pte markers when used with the recent swapin error markers. The major case is we should persist a swapin error marker after fork(), so child shouldn't read a corrupted page. This patch (of 2): When fork(), dst_vma is not guaranteed to have VM_UFFD_WP even if src may have it and has pte marker installed. The warning is improper along with the comment. The right thing is to inherit the pte marker when needed, or keep the dst pte empty. A vague guess is this happened by an accident when there's the prior patch to introduce src/dst vma into this helper during the uffd-wp feature got developed and I probably messed up in the rebase, since if we replace dst_vma with src_vma the warning & comment it all makes sense too. Hugetlb did exactly the right here (copy_hugetlb_page_range()). Fix the general path. Reproducer: https://github.com/xupengfe/syzkaller_logs/blob/main/221208_115556_copy_page_range/repro.c Bugzilla report: https://bugzilla.kernel.org/show_bug.cgi?id=216808

The advisory is shared at git.kernel.org. The identification of this vulnerability is CVE-2022-49744 since 03/27/2025. The exploitation is known to be difficult. The attack may be initiated remotely. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 247369 (Linux Distros Unpatched Vulnerability : CVE-2022-49744), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.1.11 eliminates this vulnerability. Applying the patch 2d11727655bf931776fb541f5862daf04bd5bf02/49d6d7fb631345b0f2957a7c4be24ad63903150f is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (247369) and CERT Bund (WID-SEC-2025-0649). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• Dell Avamar
• Open Source Linux Kernel
• SolarWinds Security Event Manager
• Dell NetWorker
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7
• 6.1.8
• 6.1.9
• 6.1.10

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion