CVE-2022-48879 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
efi: fix NULL-deref in init error path
In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated.
Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability described in CVE-2022-48879 represents a critical null pointer dereference flaw within the Linux kernel's EFI (Extensible Firmware Interface) subsystem. This issue specifically manifests during the kernel's EFI initialization process when runtime services are either not supported by the firmware or have been explicitly disabled by the system administrator. The flaw exists in the error handling path of the EFI initialization code, where the kernel attempts to clean up resources without proper validation of the workqueue's existence.
The technical root cause of this vulnerability stems from the kernel's failure to check whether the runtime services workqueue has been properly allocated before attempting to destroy it. In normal operation, when EFI runtime services are available and enabled, the workqueue is initialized and maintained throughout the system's lifecycle. However, when these services are disabled or unsupported, the workqueue remains unallocated, leaving it as a NULL pointer reference. During the error path of EFI initialization, the kernel code executes an unconditional destruction operation on what it believes to be a valid workqueue structure, but which is actually a NULL pointer in the disabled scenario.
This null pointer dereference vulnerability creates a significant risk for system stability and potentially exploitable conditions within the Linux kernel's EFI subsystem. The flaw occurs during kernel boot time when the system attempts to initialize EFI components, making it particularly dangerous as it can cause immediate system crashes or panics. The vulnerability is classified under CWE-476 as a NULL pointer dereference, which represents a fundamental programming error that can lead to system instability. The operational impact extends beyond simple crashes, as this flaw could potentially be leveraged by malicious actors to gain unauthorized access to system resources or escalate privileges through kernel exploitation techniques.
The attack surface for this vulnerability is primarily limited to systems that utilize EFI firmware and execute kernel code during boot processes, particularly affecting server and embedded systems where EFI runtime services may be disabled for performance or security reasons. The risk assessment indicates that while exploitation may require specific conditions to be met, the potential for system compromise remains significant due to the kernel-level nature of the vulnerability. This flaw demonstrates a classic example of improper error handling and resource management, where defensive programming practices should have been implemented to prevent unconditional operations on potentially uninitialized structures. The vulnerability aligns with ATT&CK technique T1068 which involves privilege escalation through kernel exploits, though direct exploitation would require additional attack vectors. Organizations should prioritize patching this vulnerability through kernel updates that implement proper NULL pointer checks before attempting to destroy EFI workqueue resources, ensuring that error handling paths properly validate resource allocation states before executing cleanup operations.