{
  "threat_severity" : "Low",
  "public_date" : "2025-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: cpufreq: Init completion before kobject_init_and_add()",
    "id" : "2401530",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401530"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-909",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncpufreq: Init completion before kobject_init_and_add()\nIn cpufreq_policy_alloc(), it will call uninitialed completion in\ncpufreq_sysfs_release() when kobject_init_and_add() fails. And\nthat will cause a crash such as the following page fault in complete:\nBUG: unable to handle page fault for address: fffffffffffffff8\n[..]\nRIP: 0010:complete+0x98/0x1f0\n[..]\nCall Trace:\nkobject_put+0x1be/0x4c0\ncpufreq_online.cold+0xee/0x1fd\ncpufreq_add_dev+0x183/0x1e0\nsubsys_interface_register+0x3f5/0x4e0\ncpufreq_register_driver+0x3b7/0x670\nacpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq]\ndo_one_initcall+0x13d/0x780\ndo_init_module+0x1c3/0x630\nload_module+0x6e67/0x73b0\n__do_sys_finit_module+0x181/0x240\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd", "An initialization order bug was found in the Linux kernel's cpufreq subsystem during policy allocation. A local user can trigger this issue when CPU frequency policy initialization fails after kobject registration but before completion initialization, causing the cleanup path to attempt to use an uninitialized completion variable. This results in a page fault and kernel crash, leading to denial of service." ],
  "statement" : "The cpufreq_policy_alloc function creates CPU frequency policy objects and registers them with the sysfs kobject infrastructure. During this process, a completion variable is used for synchronization when the policy object is eventually released. The problem is timing: kobject_init_and_add can fail, triggering an error cleanup path that calls kobject_put. This leads to cpufreq_sysfs_release being invoked, which tries to complete on the completion variable—but that variable hasn't been initialized yet because init_completion is called after the kobject registration. Accessing an uninitialized completion causes the kernel to dereference invalid memory (specifically address 0xfffffffffffffff8), resulting in an immediate page fault and crash. This can happen during normal CPU frequency driver initialization when any of various failure conditions occur, such as memory allocation failures or sysfs registration conflicts.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-28T00:00:00Z",
    "advisory" : "RHSA-2020:1769",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-193.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7077",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.5.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50473\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50473\nhttps://lore.kernel.org/linux-cve-announce/2025100437-CVE-2022-50473-a1fc@gregkh/T" ],
  "name" : "CVE-2022-50473",
  "csaw" : false
}