CVE-2022-50473 in Linux
Summary
by MITRE • 10/04/2025
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: Init completion before kobject_init_and_add()
In cpufreq_policy_alloc(), it will call uninitialed completion in cpufreq_sysfs_release() when kobject_init_and_add() fails. And that will cause a crash such as the following page fault in complete:
BUG: unable to handle page fault for address: fffffffffffffff8 [..]
RIP: 0010:complete+0x98/0x1f0 [..]
Call Trace: kobject_put+0x1be/0x4c0 cpufreq_online.cold+0xee/0x1fd cpufreq_add_dev+0x183/0x1e0 subsys_interface_register+0x3f5/0x4e0 cpufreq_register_driver+0x3b7/0x670 acpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq]
do_one_initcall+0x13d/0x780 do_init_module+0x1c3/0x630 load_module+0x6e67/0x73b0 __do_sys_finit_module+0x181/0x240 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/01/2026
This vulnerability exists in the Linux kernel's cpufreq subsystem where a race condition occurs during policy initialization. The flaw manifests when cpufreq_policy_alloc() attempts to initialize a completion variable before kobject_init_and_add() has successfully completed. When the kobject initialization fails, the system attempts to clean up using cpufreq_sysfs_release() which references an uninitialized completion object. This creates a critical path where memory access violations can occur, leading to kernel page faults and system crashes.
The technical implementation involves improper initialization sequencing within the cpufreq subsystem's device registration process. The completion variable that should be properly initialized before use remains in an undefined state when kobject_init_and_add() fails. This violates fundamental kernel programming practices where all synchronization primitives must be initialized before use. The vulnerability specifically affects the acpi_cpufreq driver during module initialization, creating a scenario where the kernel attempts to complete an uninitialized completion structure, resulting in the page fault described in the stack trace.
The operational impact of this vulnerability is severe as it can cause complete system crashes and kernel oops during normal system operation. When the cpufreq subsystem attempts to register a CPU frequency driver, particularly the acpi_cpufreq driver, the failure condition triggers a memory corruption scenario that leads to page fault exceptions. This affects system stability and reliability, especially on systems with multiple CPU cores where frequency scaling is actively managed. The vulnerability can be exploited to cause denial of service conditions, making systems unreliable for production environments where consistent performance and availability are required.
This vulnerability maps to CWE-457: "Use of Uninitialized Variable" and aligns with ATT&CK technique T1490: "Inhibit System Recovery" through the creation of system crashes and instability. The fix requires ensuring proper initialization order by moving the completion initialization before the kobject initialization attempt, preventing the use of uninitialized synchronization primitives. Mitigation strategies include applying the kernel patch that corrects the initialization sequence, monitoring for kernel oops messages indicating similar issues, and ensuring systems are updated with the patched kernel versions. Organizations should prioritize updating their Linux kernel installations to versions containing the fix for CVE-2022-50473 to prevent exploitation and maintain system stability. The vulnerability demonstrates the critical importance of proper resource initialization in kernel space where uninitialized variables can lead to catastrophic system failures rather than simple functional errors.