CVE-2022-50634 in Linux
Summary
by MITRE • 12/09/2025
In the Linux kernel, the following vulnerability has been resolved:
power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe()
cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen:
cw_bat_probe() create_singlethread_workqueue() # failed, cw_bat->wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref
Check the ret value and return -ENOMEM if it is NULL.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability CVE-2022-50634 represents a critical null pointer dereference flaw in the Linux kernel's power supply subsystem, specifically within the cw2015 battery driver. This issue resides in the cw_bat_probe function which is responsible for initializing the cw2015 battery monitoring driver. The vulnerability stems from inadequate error handling during the workqueue creation process, creating a scenario where the kernel attempts to dereference a null pointer during normal operation. The cw2015 driver is designed to monitor battery status for devices using the Texas Instruments CW2015 battery fuel gauge, making this a potentially widespread issue across Linux-based systems that rely on this hardware monitoring capability.
The technical flaw occurs when the create_singlethread_workqueue() function fails to allocate memory for the workqueue structure and returns NULL. This failure is not properly checked by the cw_bat_probe function, allowing execution to continue with a null pointer stored in the cw_bat->wq field. Subsequently, when queue_delayed_work() is called, it eventually leads to __queue_delayed_work() and __queue_work() functions attempting to access wq->flags where wq is NULL, resulting in an immediate null pointer dereference. This type of vulnerability falls under CWE-476 which specifically addresses NULL pointer dereference conditions, representing a fundamental error handling failure that can lead to system crashes or potential privilege escalation scenarios.
The operational impact of this vulnerability extends beyond simple system instability, as it can cause complete system crashes or panics during normal battery monitoring operations. When a device with cw2015 battery hardware is powered on or when battery status monitoring is initiated, the kernel's power management subsystem will trigger this null pointer dereference, leading to kernel oops and system termination. The vulnerability is particularly concerning because it affects the core power management functionality, potentially rendering devices unusable during critical battery monitoring operations. This aligns with ATT&CK technique T1490 which involves creating or manipulating system processes to cause system instability or failure.
The fix for this vulnerability requires implementing proper error checking after the create_singlethread_workqueue() call, specifically verifying that the return value is not NULL before proceeding with subsequent operations. When the workqueue creation fails, the function should return -ENOMEM to indicate insufficient memory resources, preventing the execution path that leads to the null pointer dereference. This remediation approach follows standard kernel development practices for resource allocation error handling and aligns with the Linux kernel's established patterns for managing memory allocation failures in device drivers. The solution ensures that the driver initialization properly fails when resources are unavailable rather than allowing execution to continue with invalid pointers, thereby maintaining system stability and preventing potential exploitation scenarios.