CVE-2022-50470
BaseFortify
Publication date: 2025-10-04
Last updated on: 2025-10-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intel | panther_point_pch | * |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's xHCI (USB 3.0) driver where device endpoints are not properly removed from the bandwidth list when the device is freed. Normally, endpoints are deleted from the bandwidth list when dropped, but if the xHCI host controller is dying or being removed, the cleanup functions return early and do not remove these endpoints correctly. This leads to a list_del corruption kernel crash when unbinding the xhci-pci driver, caused by attempts to delete already freed endpoints from the bandwidth list.
How can this vulnerability impact me? :
This vulnerability can cause a kernel crash due to list corruption when the xHCI host controller is removed or unbound. This can lead to system instability or denial of service on affected systems using the Intel Panther Point PCH (Ivy Bridge) xHCI host controller with software bandwidth checking.
What immediate steps should I take to mitigate this vulnerability?
Apply the Linux kernel update that includes the fix for this vulnerability, which removes device endpoints from the bandwidth list when freeing the device to prevent kernel crashes. This specifically affects hosts using software bandwidth checking, such as xHC in Intel Panther Point PCH (Ivy Bridge).