CVE-2022-49077 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0) If an mremap() syscall with old_size=0 ends up in move_page_tables(), it will call invalidate_range_start()/invalidate_range_end() unnecessarily, i.e. with an empty range. This causes a WARN in KVM's mmu_notifier. In the past, empty ranges have been diagnosed to be off-by-one bugs, hence the WARNing. Given the low (so far) number of unique reports, the benefits of detecting more buggy callers seem to outweigh the cost of having to fix cases such as this one, where userspace is doing something silly. In this particular case, an early return from move_page_tables() is enough to fix the issue.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-06	0.05%	0.02%	-0.03%
2	2025-11-22	0.04%	0.05%	+0.01%
3	2025-10-18	—	0.04%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-06

0.05%

0.02%

-0.03%

2025-11-22

0.04%

0.05%

+0.01%

2025-10-18

—

0.04%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2022-49077

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-49077 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-49077
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2022-49077
`suse`	medium	CVE-2022-49077 severity moderate: SUSE including 26 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 265 product×package rows across 53 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Linux Enterprise High Availability Extension 12 SP5, … (53 product lines)): Will Not Fix 194, Known Not Affected 71.	https://www.suse.com/security/cve/CVE-2022-49077/
`ubuntu`	medium	CVE-2022-49077 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, ignored 149, released 145, not-affected 108, needed 4.	https://ubuntu.com/security/CVE-2022-49077

Affected software / configurations for CVE-2022-49077

Vendor	Product	Version	Raw CPE
linux	linux_kernel	< 4.9.311	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.10, < 4.14.276	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.15, < 4.19.238	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 4.20, < 5.4.189	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.5, < 5.10.111	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.34	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 5.16.20	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.17, < 5.17.3	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	5.18	cpe:2.3:o:linux:linux_kernel:5.18:rc1::::::

References for CVE-2022-49077

URL	Tags
https://git.kernel.org/stable/c/01e67e04c28170c47700c2c226d732bbfedb1ad0	Patch
https://git.kernel.org/stable/c/04bc13dae4a27b8d030843c85ae452bb2f1d9c1f	Patch
https://git.kernel.org/stable/c/2358aa84ef6dafcf544a557caaa6b91afb4a0bd2	Patch
https://git.kernel.org/stable/c/7d659cb1763ff17d1c6ee082fa6feb4267c7a30b	Patch
https://git.kernel.org/stable/c/a04cb99c5d4668fe3f5c0e5b6da1cecd34c3f219	Patch
https://git.kernel.org/stable/c/a05540f3903bd8295e8c4cd90dd3d416239a115b	Patch
https://git.kernel.org/stable/c/c19d8de4e682ec4b0ea2b04a832cd8cc0be3bb31	Patch
https://git.kernel.org/stable/c/e2c328c2a8f9de8b761bd4025b66c63120c55761	Patch
https://git.kernel.org/stable/c/eeaf28e2a0128147d687237e59d5407ee1b14693	Patch

URL

CVE-2022-49077 | mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)

Exploit prediction scoring system (EPSS) score for CVE-2022-49077

Common vulnerability scoring system (CVSS) metrics for CVE-2022-49077

Weakness enumeration for CVE-2022-49077

OS Trackers for CVE-2022-49077

Affected software / configurations for CVE-2022-49077

References for CVE-2022-49077