CVE-2022-48897: arm64/mm: fix incorrect file_map_count for invalid pmd
In the Linux kernel, the following vulnerability has been resolved:
arm64/mm: fix incorrect file_map_count for invalid pmd
The page table check trigger BUG_ON() unexpectedly when split hugepage:
------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:119!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748
Hardware name: linux,dummy-virt (DT)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : page_table_check_set.isra.0+0x398/0x468
lr : page_table_check_set.isra.0+0x1c0/0x468
[...]
Call trace:
page_table_check_set.isra.0+0x398/0x468
__page_table_check_pte_set+0x160/0x1c0
__split_huge_pmd_locked+0x900/0x1648
__split_huge_pmd+0x28c/0x3b8
unmap_page_range+0x428/0x858
unmap_single_vma+0xf4/0x1c8
zap_page_range+0x2b0/0x410
madvise_vma_behavior+0xc44/0xe78
do_madvise+0x280/0x698
__arm64_sys_madvise+0x90/0xe8
invoke_syscall.constprop.0+0xdc/0x1d8
do_el0_svc+0xf4/0x3f8
el0_svc+0x58/0x120
el0t_64_sync_handler+0xb8/0xc0
el0t_64_sync+0x19c/0x1a0
[...]
On arm64, pmd_leaf() will return true even if the pmd is invalid due to
pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count
will not only decrease once but also increase once. Then in set_pte_at(),
the file_map_count increase again, and so trigger BUG_ON() unexpectedly.
Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the
problem.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48897 is a Linux kernel arm64 memory-management bug that can trigger an unexpected kernel BUG during huge page splitting. The public record describes a crash condition, not data theft or remote compromise. Business urgency is highest for arm64 Linux systems running affected kernel versions, especially where untrusted local users or workloads can exercise memory-management paths.
Executive priority
Handle through normal-to-expedited Linux patch management for arm64 fleets. Escalate priority for multi-tenant, shared compute, or systems where untrusted local workloads run. There is no sourced evidence of remote exploitation or active attacks.
Technical view
On arm64, pmd_leaf() can treat an invalid PMD as a leaf because of pmd_present_invalid(). During pmdp_invalidate() and later set_pte_at(), file_map_count accounting can become incorrect, triggering page_table_check BUG_ON() when splitting a huge PMD. The fix adds a !pmd_present_invalid() check in pmd_user_accessible_page().
Likely exposure
Exposure appears limited to Linux on arm64 with affected kernel versions and relevant huge page/page table checking paths. The source bundle lists Linux 5.19 through before fixed stable releases, including 6.1.7 and 6.2 context, but distribution backports may differ.
Exploitation context
No cited source reports active exploitation, and this CVE is not marked KEV. The described failure was triggered by a local process path involving madvise and huge page splitting. Treat practical impact as possible local denial of service unless vendor guidance states otherwise.
Researcher notes
The public record provides a kernel crash trace and root cause but no CVSS, CWE, or exploit status. Analysis should focus on arm64 PMD validity handling, file_map_count accounting, transparent huge page splitting, and whether page_table_check is enabled in target builds.
Mitigation direction
Apply vendor kernel updates that include the referenced stable fixes.
If self-maintaining kernels, review and apply the linked stable commits.
Prioritize arm64 systems running affected mainline or derived kernels.
Check distribution advisories for backported fixes and exact package versions.
Validation and detection
Inventory arm64 Linux systems and running kernel versions.
Confirm whether the kernel includes the referenced stable commits.
Review crash logs for page_table_check BUG_ON during huge PMD splitting.
Check vendor advisories for affected and fixed package mappings.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48897 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.