CVE-2022-50849: Low Severity Vulnerability in Linux Kernel

CVE-2022-50849 is a vulnerability found in the Linux kernel, specifically related to the pstore functionality. This vulnerability allows an 'oops' to be generated when executing 'cat /proc/kcore > /dev/null' on devices that utilize pstore with the RAM backend. This occurs because kmap_atomic() incorrectly assumes that low memory pages are accessible with __va().

The severity level of this vulnerability is classified as low, indicating that while it does pose a risk, it is not currently known to be actively exploited in the wild. The risk to organizations includes potential system instability or crashes, especially in environments where pstore is used extensively.

Given the low urgency associated with this vulnerability, organizations should still monitor for updates from the Linux kernel maintainers and schedule remediation within their standard maintenance cycles.

The vulnerability was published on December 30, 2025, and its resolution involves ensuring that vmap() is called with VM_IOREMAP to avoid issues with the kcore functionality.

Organizations are advised to stay informed about any patches or updates that address this vulnerability and to take appropriate action when necessary.

Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP An oops can be induced by running 'cat /proc/kcore > /dev/null' on devices using pstore with the ram backend because kmap_atomic() assumes lowmem pages are accessible with __va(). Unable to handle kernel paging request at virtual address ffffff807ff2b000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: dm_integrity CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __memcpy+0x110/0x260 lr : vread+0x194/0x294 sp : ffffffc013ee39d0 x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 Call trace: __memcpy+0x110/0x260 read_kcore+0x584/0x778 proc_reg_read+0xb4/0xe4 During early boot, memblock reserves the pages for the ramoops reserved memory node in DT that would otherwise be part of the direct lowmem mapping. Pstore's ram backend reuses those reserved pages to change the memory type (writeback or non-cached) by passing the pages to vmap() (see pfn_to_page() usage in persistent_ram_vmap() for more details) with specific flags. When read_kcore() starts iterating over the vmalloc region, it runs over the virtual address that vmap() returned for ramoops. In aligned_vread() the virtual address is passed to vmalloc_to_page() which returns the page struct for the reserved lowmem area. That lowmem page is passed to kmap_atomic(), which effectively calls page_to_virt() that assumes a lowmem page struct must be directly accessible with __va() and friends. These pages are mapped via vmap() though, and the lowmem mapping was never made, so accessing them via the lowmem virtual address oopses like above. Let's side-step this problem by passing VM_IOREMAP to vmap(). This will tell vread() to not include the ramoops region in the kcore. Instead, the area will look like a bunch of zeros. The alternative is to teach kmap() about vmalloc areas that intersect with lowmem. Presumably such a change isn't a one-liner, and there isn't much interest in inspecting the ramoops region in kcore files anyway, so the most expedient route is taken for now.

Technical Analysis

The root cause of this vulnerability lies in the handling of memory mapping in the Linux kernel. Specifically, when pstore's RAM backend is utilized, an assumption is made regarding the accessibility of low memory pages. This incorrect assumption leads to kernel paging requests that cannot be handled, resulting in system instability.

The attack vector for this vulnerability is classified as unknown, as there are no known exploits at this time. The attack complexity is assessed as low, given that the vulnerability can be triggered with a simple command. No user interaction is required, and the impact on confidentiality, integrity, and availability could be significant in environments reliant on stable kernel operations.

Risk & Impact Analysis

Organizations running Linux kernel versions affected by CVE-2022-50849 should understand the implications this vulnerability may have on their systems. The risk to organizations includes potential system crashes or unexpected behavior due to the faulty handling of memory requests.

The blast radius for this vulnerability extends to any system utilizing pstore with the RAM backend. Thus, organizations utilizing such configurations should prioritize monitoring their systems for any irregularities that may arise.

Considering the low EPSS score of 0.00049, which places it in the 0.15 percentile, the urgency for immediate patching is low. However, organizations should still schedule remediation within their routine maintenance cycles to ensure system stability.

Exploitation Status

Affected Versions

All versions prior to vendor patch are affected by this vulnerability. Organizations should ensure they are operating on the latest kernel version to mitigate risks associated with CVE-2022-50849.

Mitigation & Remediation

Organizations should prioritize patching the Linux kernel to the latest stable version that addresses this vulnerability. If an immediate upgrade is not feasible, consider applying configuration hardening techniques and monitoring for any unusual behavior in systems that utilize pstore.

For additional guidance, organizations may utilize resources available on the AppSecure website, such as the penetration testing services to help identify vulnerabilities and validate remediation efforts.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for signs of abnormal kernel behaviors, memory access violations, and unexpected system crashes. Keeping track of system stability metrics can also provide insights into the health of the kernel.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2022-50849 lies in its reflection of underlying memory management issues within the Linux kernel. This vulnerability showcases the need for continuous review and enhancement of kernel functionalities that interact with low memory regions.

Security teams should take this incident as a reminder to adopt a proactive approach in vulnerability management and ensure that their systems are regularly updated to mitigate the risk of similar vulnerabilities.

For organizations implementing cloud-based solutions, refer to the cloud penetration testing guide to enhance security measures.

Additionally, utilizing resources such as the vulnerability management program can help organizations identify and manage risks effectively.

Finally, ensuring best practices in penetration testing methodology will further enhance the security posture of organizations against similar vulnerabilities.