In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free.
I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables.
[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c23105673228c349739e958fa33955ed8faddcaf",
        "id": "CVE-2022-48991-00a7a73c",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 804.0,
            "function_hash": "269907525181506976252175393353212894929"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ffc2a75534d9d74d49760f983f8eb675fa63d69",
        "id": "CVE-2022-48991-0a96ceac",
        "deprecated": false,
        "target": {
            "function": "collapse_pte_mapped_thp",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 1684.0,
            "function_hash": "266581606045745723379142446880986581194"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5450535901d89a5dcca5fbbc59a24fe89caeb465",
        "id": "CVE-2022-48991-2681d7ad",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "314844019185933171540387439972928947504",
                "176166577683665143721604897638321889648",
                "199407057513372132293066281949749840360",
                "6923636904771971719167055873328853139",
                "90048831711267281744977809635289487608",
                "326215295388998476911803733858733116132",
                "331232796034447634338611337985285542812",
                "59862810145342162817983909678752435807",
                "85247870216774811384902851246897011820"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f445ca2e0e59c7971d0b7b853465e50844ab596",
        "id": "CVE-2022-48991-27b1df1e",
        "deprecated": false,
        "target": {
            "function": "collapse_pte_mapped_thp",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 1684.0,
            "function_hash": "266581606045745723379142446880986581194"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c23105673228c349739e958fa33955ed8faddcaf",
        "id": "CVE-2022-48991-2d9730b2",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201408510426627671987750399254375304236",
                "59371218742431227336805894933071523795",
                "331314138205965883962236474474453706782",
                "280917920320814202623601024407042581149",
                "24707142968059241908456216573059875391",
                "56282128947664077061433067160222244670",
                "212220281541008474828762900391427036897",
                "304147931366848572940403249065543512146",
                "72189950699536433957502420412794833462"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3",
        "id": "CVE-2022-48991-34de5824",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201408510426627671987750399254375304236",
                "59371218742431227336805894933071523795",
                "331314138205965883962236474474453706782",
                "131457745859434628310672116527482822952",
                "86551615094698015860887242498918006049",
                "105602601739495768089762254812432151399",
                "212137958423117642205516787174358723338",
                "304147931366848572940403249065543512146",
                "72189950699536433957502420412794833462"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3",
        "id": "CVE-2022-48991-35036c10",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26868156907433623839688975143423581686",
                "173249971759494645599993585105630520620",
                "338084404360849633804546047912693245838",
                "253842915131750482442042500484321134895",
                "23448436948726747225365157518840386207",
                "304794330191040801784575042551291491673",
                "324440373414060753509449731163338958203",
                "42902056737494506596083472634285846111",
                "201735452999219913394823802891926220474",
                "8245249151589787215296885590579427875",
                "241903167680044883246403125318950241464",
                "175787744527343231303229242841114637752",
                "23632322185366225303255193262835842465",
                "73904056056379808838107982345318270837",
                "322683855710350734634533921460666683898",
                "212137958423117642205516787174358723338",
                "285768216566355787348341578384431103486",
                "210749915211097211096128827809817104253"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@275c626c131cfe141beeb6c575e31fa53d32da19",
        "id": "CVE-2022-48991-36a836dd",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 804.0,
            "function_hash": "269907525181506976252175393353212894929"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f268f6cf875f3220afc77bdd0bf1bb136eb54db9",
        "id": "CVE-2022-48991-6a9187ae",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "314844019185933171540387439972928947504",
                "176166577683665143721604897638321889648",
                "199407057513372132293066281949749840360",
                "6923636904771971719167055873328853139",
                "90048831711267281744977809635289487608",
                "326215295388998476911803733858733116132",
                "331232796034447634338611337985285542812",
                "59862810145342162817983909678752435807",
                "85247870216774811384902851246897011820"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@275c626c131cfe141beeb6c575e31fa53d32da19",
        "id": "CVE-2022-48991-6dc5bd4b",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201408510426627671987750399254375304236",
                "59371218742431227336805894933071523795",
                "331314138205965883962236474474453706782",
                "280917920320814202623601024407042581149",
                "24707142968059241908456216573059875391",
                "56282128947664077061433067160222244670",
                "212220281541008474828762900391427036897",
                "304147931366848572940403249065543512146",
                "72189950699536433957502420412794833462"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f445ca2e0e59c7971d0b7b853465e50844ab596",
        "id": "CVE-2022-48991-71a75199",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26868156907433623839688975143423581686",
                "173249971759494645599993585105630520620",
                "28140986620995300087504006027804004666",
                "93958317387633857914871139423628038739",
                "23448436948726747225365157518840386207",
                "304794330191040801784575042551291491673",
                "324440373414060753509449731163338958203",
                "42902056737494506596083472634285846111",
                "201735452999219913394823802891926220474",
                "8245249151589787215296885590579427875",
                "241903167680044883246403125318950241464",
                "175787744527343231303229242841114637752",
                "23632322185366225303255193262835842465",
                "73904056056379808838107982345318270837",
                "322683855710350734634533921460666683898",
                "212137958423117642205516787174358723338",
                "285768216566355787348341578384431103486",
                "210749915211097211096128827809817104253"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3",
        "id": "CVE-2022-48991-84b25eb5",
        "deprecated": false,
        "target": {
            "function": "collapse_pte_mapped_thp",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 1670.0,
            "function_hash": "147967547799704781655011023608392812322"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f268f6cf875f3220afc77bdd0bf1bb136eb54db9",
        "id": "CVE-2022-48991-89b91e5b",
        "deprecated": false,
        "target": {
            "function": "collapse_and_free_pmd",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 449.0,
            "function_hash": "262250999293615603119390705273279445143"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3",
        "id": "CVE-2022-48991-8a726197",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 739.0,
            "function_hash": "139656001469409531465915047955732144980"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f445ca2e0e59c7971d0b7b853465e50844ab596",
        "id": "CVE-2022-48991-96952311",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 739.0,
            "function_hash": "139656001469409531465915047955732144980"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5450535901d89a5dcca5fbbc59a24fe89caeb465",
        "id": "CVE-2022-48991-b0c556c8",
        "deprecated": false,
        "target": {
            "function": "collapse_and_free_pmd",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 449.0,
            "function_hash": "262250999293615603119390705273279445143"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3",
        "id": "CVE-2022-48991-b2d59929",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 791.0,
            "function_hash": "49102090312862802586774630633002268432"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ffc2a75534d9d74d49760f983f8eb675fa63d69",
        "id": "CVE-2022-48991-e74cd351",
        "deprecated": false,
        "target": {
            "function": "retract_page_tables",
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 767.0,
            "function_hash": "147944376759516506867355251287317745446"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ffc2a75534d9d74d49760f983f8eb675fa63d69",
        "id": "CVE-2022-48991-f3efc4c3",
        "deprecated": false,
        "target": {
            "file": "mm/khugepaged.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "26868156907433623839688975143423581686",
                "173249971759494645599993585105630520620",
                "28140986620995300087504006027804004666",
                "93958317387633857914871139423628038739",
                "23448436948726747225365157518840386207",
                "304794330191040801784575042551291491673",
                "324440373414060753509449731163338958203",
                "42902056737494506596083472634285846111",
                "201735452999219913394823802891926220474",
                "8245249151589787215296885590579427875",
                "87812498401512128960885785303182759024",
                "338997739426975570329302508807625211815",
                "282369611125013443158463401453904056145",
                "73904056056379808838107982345318270837",
                "322683855710350734634533921460666683898",
                "212137958423117642205516787174358723338",
                "304147931366848572940403249065543512146",
                "45404777771217883125707599975103632955"
            ]
        }
    }
]