CVE-2022-50091: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-50091 is a vulnerability discovered in the Linux kernel related to the csdlockdebug kernel-boot parameter. The issue was identified in the locking/csdlock component and was publicly disclosed on June 18, 2025. The vulnerability affects Linux kernels built with specific configurations on arm64 and powerpc systems (NVD, Wiz).

The vulnerability occurs when the csdlockdebug() function, which is parsed by the earlyparam() function, invokes staticbranchenable() to enable the csdlockwait feature. This triggers a panic specifically on arm64 systems built with CONFIGSPARSEMEM=y and CONFIGSPARSEMEMVMEMMAP=n configurations. In systems with CONFIGSPARSEMEMVMEMMAP=n, _nrtosection is called in statickeyenable() and returns NULL, resulting in a NULL dereference because memsection is initialized only later in sparseinit(). For powerpc systems, the issue manifests when earlyparam() functions are invoked earlier than jumplabelinit(), causing statickey_enable() failures (NVD).

When exploited, this vulnerability can cause system panic on affected arm64 systems. On powerpc systems, it triggers warning messages with the message 'static key xxx used before call to jumplabelinit()' (Wiz).

The vulnerability has been resolved by changing csdlockdebug from earlyparam to _setup to ensure proper timing of the staticbranch_enable() call. This modification fixes the issue by ensuring the function runs at the appropriate initialization stage (Wiz).