CVE-2022-48769: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00. The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space. Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/
AI Analysis
Technical Summary
CVE-2022-48769 is a vulnerability identified in the Linux kernel related to the handling of EFI (Extensible Firmware Interface) runtime services on Apple x86 machines. Specifically, the issue arises from the Linux kernel invoking the EFIv2 runtime service QueryVariableInfo() on Apple MacBook Pro models that only support EFI v1.10 firmware. Apple machines historically used EFI v1.10 services and only recently upgraded to EFI v2.40, but many models, including the MacBookPro12,1 released in 2015, still report EFI v1.10 compatibility. The Linux kernel added support for EFI v2.0 runtime services in 2011, including QueryVariableInfo(), which is used to safely set EFI variables by checking available space to prevent NVRAM corruption. However, calling QueryVariableInfo() on Apple machines with buggy or incomplete EFIv2 implementations causes firmware crashes, leading to system instability or failure. The vulnerability is essentially a compatibility and stability issue caused by the Linux kernel's use of EFIv2 runtime services on Apple hardware that does not fully support them. The recommended fix is to avoid calling EFIv2 runtime services, specifically QueryVariableInfo(), on all Apple x86 machines to prevent firmware crashes and potential NVRAM corruption. This issue does not appear to be exploitable for remote code execution or privilege escalation but can cause denial of service through system crashes or firmware corruption during runtime variable operations.
Potential Impact
For European organizations using Linux on Apple x86 hardware, this vulnerability could lead to unexpected system crashes or firmware instability, particularly during operations that involve EFI variable management at runtime. This can result in denial of service conditions, loss of system availability, and potential corruption of NVRAM settings, which may affect system boot or configuration persistence. Organizations relying on Mac hardware running Linux, such as developers, research institutions, or enterprises using mixed environments, may experience operational disruptions. While the impact is primarily on system stability and availability, it does not directly compromise confidentiality or integrity through unauthorized access or data modification. However, the disruption caused by firmware crashes could delay critical operations or maintenance tasks. Since this vulnerability is hardware and firmware specific, its impact is limited to Apple x86 machines running Linux kernels that invoke EFIv2 runtime services improperly.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should ensure that their Linux kernel versions include the patch that disables EFIv2 runtime service calls on Apple x86 machines. Specifically, kernel maintainers have implemented logic to avoid calling QueryVariableInfo() on Apple hardware that only supports EFI v1.10. Organizations should: 1) Update Linux kernels on Apple x86 devices to the latest stable versions that contain this fix. 2) Avoid running Linux on unsupported or older Apple hardware models that have incomplete EFIv2 implementations. 3) Test firmware and kernel interactions in controlled environments before deploying Linux on Apple hardware in production. 4) Monitor system logs for EFI runtime service errors or firmware crashes to detect potential issues early. 5) Coordinate with hardware vendors and Linux distribution maintainers to confirm compatibility and receive timely updates. Since this vulnerability does not have known exploits in the wild, proactive patching and cautious deployment are effective mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark
CVE-2022-48769: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. The culprit appears to be a call to QueryVariableInfo(), which we did not use to call on Apple x86 machines in the past as they only upgraded from EFI v1.10 to EFI v2.40 firmware fairly recently, and QueryVariableInfo() (along with UpdateCapsule() et al) was added in EFI v2.00. The only runtime service introduced in EFI v2.00 that we actually use in Linux is QueryVariableInfo(), as the capsule based ones are optional, generally not used at runtime (all the LVFS/fwupd firmware update infrastructure uses helper EFI programs that invoke capsule update at boot time, not runtime), and not implemented by Apple machines in the first place. QueryVariableInfo() is used to 'safely' set variables, i.e., only when there is enough space. This prevents machines with buggy firmwares from corrupting their NVRAMs when they run out of space. Given that Apple machines have been using EFI v1.10 services only for the longest time (the EFI v2.0 spec was released in 2006, and Linux support for the newly introduced runtime services was added in 2011, but the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only), let's avoid the EFI v2.0 ones on all Apple x86 machines. [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/
AI-Powered Analysis
Technical Analysis
CVE-2022-48769 is a vulnerability identified in the Linux kernel related to the handling of EFI (Extensible Firmware Interface) runtime services on Apple x86 machines. Specifically, the issue arises from the Linux kernel invoking the EFIv2 runtime service QueryVariableInfo() on Apple MacBook Pro models that only support EFI v1.10 firmware. Apple machines historically used EFI v1.10 services and only recently upgraded to EFI v2.40, but many models, including the MacBookPro12,1 released in 2015, still report EFI v1.10 compatibility. The Linux kernel added support for EFI v2.0 runtime services in 2011, including QueryVariableInfo(), which is used to safely set EFI variables by checking available space to prevent NVRAM corruption. However, calling QueryVariableInfo() on Apple machines with buggy or incomplete EFIv2 implementations causes firmware crashes, leading to system instability or failure. The vulnerability is essentially a compatibility and stability issue caused by the Linux kernel's use of EFIv2 runtime services on Apple hardware that does not fully support them. The recommended fix is to avoid calling EFIv2 runtime services, specifically QueryVariableInfo(), on all Apple x86 machines to prevent firmware crashes and potential NVRAM corruption. This issue does not appear to be exploitable for remote code execution or privilege escalation but can cause denial of service through system crashes or firmware corruption during runtime variable operations.
Potential Impact
For European organizations using Linux on Apple x86 hardware, this vulnerability could lead to unexpected system crashes or firmware instability, particularly during operations that involve EFI variable management at runtime. This can result in denial of service conditions, loss of system availability, and potential corruption of NVRAM settings, which may affect system boot or configuration persistence. Organizations relying on Mac hardware running Linux, such as developers, research institutions, or enterprises using mixed environments, may experience operational disruptions. While the impact is primarily on system stability and availability, it does not directly compromise confidentiality or integrity through unauthorized access or data modification. However, the disruption caused by firmware crashes could delay critical operations or maintenance tasks. Since this vulnerability is hardware and firmware specific, its impact is limited to Apple x86 machines running Linux kernels that invoke EFIv2 runtime services improperly.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should ensure that their Linux kernel versions include the patch that disables EFIv2 runtime service calls on Apple x86 machines. Specifically, kernel maintainers have implemented logic to avoid calling QueryVariableInfo() on Apple hardware that only supports EFI v1.10. Organizations should: 1) Update Linux kernels on Apple x86 devices to the latest stable versions that contain this fix. 2) Avoid running Linux on unsupported or older Apple hardware models that have incomplete EFIv2 implementations. 3) Test firmware and kernel interactions in controlled environments before deploying Linux on Apple hardware in production. 4) Monitor system logs for EFI runtime service errors or firmware crashes to detect potential issues early. 5) Coordinate with hardware vendors and Linux distribution maintainers to confirm compatibility and receive timely updates. Since this vulnerability does not have known exploits in the wild, proactive patching and cautious deployment are effective mitigations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.061Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe60f2
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 8:56:44 PM
Last updated: 7/28/2025, 7:11:37 PM
Views: 10
Related Threats
CVE-2025-9039: CWE-277: Insecure Inherited Permissions, CWE-648: Incorrect Use of Privileged APIs in Amazon ECS
MediumCVE-2025-8967: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-54867: CWE-61: UNIX Symbolic Link (Symlink) Following in youki-dev youki
HighCVE-2025-8966: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8965: Unrestricted Upload in linlinjava litemall
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.