CVE-2022-50338: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-50338 is a vulnerability in the Linux kernel's binder component, specifically related to a Use-After-Free (UAF) condition in the alloc->vma handling during race conditions with munmap(). The vulnerability was discovered and disclosed in September 2025, affecting Linux kernel versions 5.4 and 5.10 (RedHat XML, NVD).

The vulnerability stems from a race condition in the binder component where the mmap read lock was assumed to be sufficient to protect alloc->vma inside binderupdatepagerange(). This assumption became incorrect after changes in commit dd2283f2605e, which downgrades the mmaplock after detaching the vma from the rbtree in munmap(). The issue allows the teardown and freeing of vma with only the read lock held, leading to potential UAF conditions. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (RedHat XML).

The vulnerability can lead to a Use-After-Free condition in the Linux kernel, potentially causing system crashes or denial of service. The CVSS scoring indicates high impact on availability but no direct impact on confidentiality or integrity (RedHat XML).

The issue has been resolved by reverting back to taking the mmap write lock inside binderupdatepagerange(). While this might suggest potential mmap lock contention, the binder already serializes these calls via top-level alloc->mutex, and no performance impact was observed in benchmark tests. For newer kernel releases (after 5.10), the issue is inherently avoided as binder no longer caches a pointer to the vma, instead using vmalookup() (NVD).