CVE-2022-49990 (GCVE-0-2022-49990)

Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2026-05-23 15:23
VLAI
Title
s390: fix double free of GS and RI CBs on fork() failure
Summary
In the Linux kernel, the following vulnerability has been resolved: s390: fix double free of GS and RI CBs on fork() failure The pointers for guarded storage and runtime instrumentation control blocks are stored in the thread_struct of the associated task. These pointers are initially copied on fork() via arch_dup_task_struct() and then cleared via copy_thread() before fork() returns. If fork() happens to fail after the initial task dup and before copy_thread(), the newly allocated task and associated thread_struct memory are freed via free_task() -> arch_release_task_struct(). This results in a double free of the guarded storage and runtime info structs because the fields in the failed task still refer to memory associated with the source task. This problem can manifest as a BUG_ON() in set_freepointer() (with CONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled) when running trinity syscall fuzz tests on s390x. To avoid this problem, clear the associated pointer fields in arch_dup_task_struct() immediately after the new task is copied. Note that the RI flag is still cleared in copy_thread() because it resides in thread stack memory and that is where stack info is copied.
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < 25a95303b9e513cd2978aacc385d06e6fec23d07 (git)
Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < cacd522e6652fbc2dc0cc6ae11c4e30782fef14b (git)
Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < 297ae7e87a87a001dd3dfeac1cb26a42fd929708 (git)
Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < 8195e065abf3df84eb0ad2987e76a40f21d1791c (git)
Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < fbdc482d43eda40a70de4b0155843d5472f6de62 (git)
Affected: 8d9047f8b967ce6181fd824ae922978e1b055cc0 , < 13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9 (git)
Affected: 9e51ee1b76efc7b5e9404010793a39fde0e03cb7 (git)
Affected: 232b47b3c88af1da737cd7760f247c4ed58168cf (git)
Affected: b8e212c599082896a180a18a0c9bd529526590be (git)
Affected: 4.4.105 , < 4.5 (semver)
Affected: 4.9.68 , < 4.10 (semver)
Affected: 4.14.5 , < 4.15 (semver)
Create a notification for this product.
Linux Linux Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 4.19.257 , ≤ 4.19.* (semver)
Unaffected: 5.4.212 , ≤ 5.4.* (semver)
Unaffected: 5.10.140 , ≤ 5.10.* (semver)
Unaffected: 5.15.64 , ≤ 5.15.* (semver)
Unaffected: 5.19.6 , ≤ 5.19.* (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "25a95303b9e513cd2978aacc385d06e6fec23d07",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "lessThan": "cacd522e6652fbc2dc0cc6ae11c4e30782fef14b",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "lessThan": "297ae7e87a87a001dd3dfeac1cb26a42fd929708",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "lessThan": "8195e065abf3df84eb0ad2987e76a40f21d1791c",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "lessThan": "fbdc482d43eda40a70de4b0155843d5472f6de62",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "lessThan": "13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9",
              "status": "affected",
              "version": "8d9047f8b967ce6181fd824ae922978e1b055cc0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9e51ee1b76efc7b5e9404010793a39fde0e03cb7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "232b47b3c88af1da737cd7760f247c4ed58168cf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b8e212c599082896a180a18a0c9bd529526590be",
              "versionType": "git"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.105",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.68",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/s390/kernel/process.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.257",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.212",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.140",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.64",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.6",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: fix double free of GS and RI CBs on fork() failure\n\nThe pointers for guarded storage and runtime instrumentation control\nblocks are stored in the thread_struct of the associated task. These\npointers are initially copied on fork() via arch_dup_task_struct()\nand then cleared via copy_thread() before fork() returns. If fork()\nhappens to fail after the initial task dup and before copy_thread(),\nthe newly allocated task and associated thread_struct memory are\nfreed via free_task() -\u003e arch_release_task_struct(). This results in\na double free of the guarded storage and runtime info structs\nbecause the fields in the failed task still refer to memory\nassociated with the source task.\n\nThis problem can manifest as a BUG_ON() in set_freepointer() (with\nCONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)\nwhen running trinity syscall fuzz tests on s390x. To avoid this\nproblem, clear the associated pointer fields in\narch_dup_task_struct() immediately after the new task is copied.\nNote that the RI flag is still cleared in copy_thread() because it\nresides in thread stack memory and that is where stack info is\ncopied."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:23:30.380Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/25a95303b9e513cd2978aacc385d06e6fec23d07"
        },
        {
          "url": "https://git.kernel.org/stable/c/cacd522e6652fbc2dc0cc6ae11c4e30782fef14b"
        },
        {
          "url": "https://git.kernel.org/stable/c/297ae7e87a87a001dd3dfeac1cb26a42fd929708"
        },
        {
          "url": "https://git.kernel.org/stable/c/8195e065abf3df84eb0ad2987e76a40f21d1791c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbdc482d43eda40a70de4b0155843d5472f6de62"
        },
        {
          "url": "https://git.kernel.org/stable/c/13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9"
        }
      ],
      "title": "s390: fix double free of GS and RI CBs on fork() failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49990",
    "datePublished": "2025-06-18T11:00:51.035Z",
    "dateReserved": "2025-06-18T10:57:27.386Z",
    "dateUpdated": "2026-05-23T15:23:30.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-49990",
      "date": "2026-06-11",
      "epss": "0.00064",
      "percentile": "0.20166"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49990\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:26.637\",\"lastModified\":\"2025-11-14T18:12:44.373\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390: fix double free of GS and RI CBs on fork() failure\\n\\nThe pointers for guarded storage and runtime instrumentation control\\nblocks are stored in the thread_struct of the associated task. These\\npointers are initially copied on fork() via arch_dup_task_struct()\\nand then cleared via copy_thread() before fork() returns. If fork()\\nhappens to fail after the initial task dup and before copy_thread(),\\nthe newly allocated task and associated thread_struct memory are\\nfreed via free_task() -\u003e arch_release_task_struct(). This results in\\na double free of the guarded storage and runtime info structs\\nbecause the fields in the failed task still refer to memory\\nassociated with the source task.\\n\\nThis problem can manifest as a BUG_ON() in set_freepointer() (with\\nCONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)\\nwhen running trinity syscall fuzz tests on s390x. To avoid this\\nproblem, clear the associated pointer fields in\\narch_dup_task_struct() immediately after the new task is copied.\\nNote that the RI flag is still cleared in copy_thread() because it\\nresides in thread stack memory and that is where stack info is\\ncopied.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390: se corrige la doble liberaci\u00f3n de los bloques de control de instrumentaci\u00f3n de GS y RI en el fallo de fork() Los punteros para los bloques de control de instrumentaci\u00f3n de almacenamiento protegido y tiempo de ejecuci\u00f3n se almacenan en el thread_struct de la tarea asociada. Estos punteros se copian inicialmente en fork() mediante arch_dup_task_struct() y luego se borran mediante copy_thread() antes de que fork() regrese. Si fork() falla despu\u00e9s del dup de la tarea inicial y antes de copy_thread(), la tarea reci\u00e9n asignada y la memoria thread_struct asociada se liberan mediante free_task() -\u0026gt; arch_release_task_struct(). Esto resulta en una doble liberaci\u00f3n de las estructuras de informaci\u00f3n de almacenamiento protegido y tiempo de ejecuci\u00f3n porque los campos en la tarea fallida todav\u00eda hacen referencia a la memoria asociada con la tarea de origen. Este problema puede manifestarse como un BUG_ON() en set_freepointer() (con CONFIG_SLAB_FREELIST_HARDENED habilitado) o un error de KASAN (si est\u00e1 habilitado) al ejecutar pruebas de fuzzing de llamadas al sistema de Trinity en s390x. Para evitar este problema, borre los campos de puntero asociados en arch_dup_task_struct() inmediatamente despu\u00e9s de copiar la nueva tarea. Tenga en cuenta que el indicador RI permanece borrado en copy_thread() porque reside en la memoria de la pila de subprocesos, donde se copia la informaci\u00f3n de la pila.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.105\",\"versionEndExcluding\":\"4.5\",\"matchCriteriaId\":\"1CA907F3-954E-46E2-9D62-011352BFC8AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9.68\",\"versionEndExcluding\":\"4.10\",\"matchCriteriaId\":\"F852DBF1-7260-4E35-8D25-C8F8EEF895D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.14.5\",\"versionEndExcluding\":\"4.19.257\",\"matchCriteriaId\":\"32888C7E-F8E5-4CB9-94D8-DEA0CD7188B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.212\",\"matchCriteriaId\":\"BEFFBCD7-9B53-46AB-B3FD-53EAD80FD3E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.140\",\"matchCriteriaId\":\"A26216A8-920B-4892-A1EB-143451AFFC31\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.64\",\"matchCriteriaId\":\"292F3687-ADC2-4F3D-9710-3BCAD11A52BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.19.6\",\"matchCriteriaId\":\"89E99903-E16D-475D-954B-2BAC46C98262\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8BD11A3-8643-49B6-BADE-5029A0117325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F0AD220-F6A9-4012-8636-155F1B841FAD\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/25a95303b9e513cd2978aacc385d06e6fec23d07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/297ae7e87a87a001dd3dfeac1cb26a42fd929708\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8195e065abf3df84eb0ad2987e76a40f21d1791c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cacd522e6652fbc2dc0cc6ae11c4e30782fef14b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fbdc482d43eda40a70de4b0155843d5472f6de62\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.