{ "threat_severity" : "Moderate", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: xhci: Remove device endpoints from bandwidth list when freeing the device", "id" : "2401565", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401565" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nxhci: Remove device endpoints from bandwidth list when freeing the device\nEndpoints are normally deleted from the bandwidth list when they are\ndropped, before the virt device is freed.\nIf xHC host is dying or being removed then the endpoints aren't dropped\ncleanly due to functions returning early to avoid interacting with a\nnon-accessible host controller.\nSo check and delete endpoints that are still on the bandwidth list when\nfreeing the virt device.\nSolves a list_del corruption kernel crash when unbinding xhci-pci,\ncaused by xhci_mem_cleanup() when it later tried to delete already freed\nendpoints from the bandwidth list.\nThis only affects hosts that use software bandwidth checking, which\ncurrenty is only the xHC in intel Panther Point PCH (Ivy Bridge)", "A null pointer/list corruption flaw was found in the Linux kernel USB xHCI host controller code. When the xHCI host is dying or being removed, some device endpoints may remain on the software bandwidth list. Later cleanup deletes entries that were already freed, corrupting the list and crashing the kernel.\nA local user could use this flaw to crash system, causing denial of service." ], "statement" : "This vulnerability is limited to systems using software bandwidth checking, noted as affecting Intel Panther Point PCH (Ivy Bridge) xHC; other hosts perform bandwidth checks in hardware. The crash occurs when endpoints aren’t dropped cleanly as the controller is removed/dies, leaving them on the bandwidth list; subsequent free-path cleanup (xhci_mem_cleanup) attempts to delete already-freed endpoints, corrupting the list and triggering a kernel crash.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50470\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50470\nhttps://lore.kernel.org/linux-cve-announce/2025100434-CVE-2022-50470-e56f@gregkh/T" ], "name" : "CVE-2022-50470", "mitigation" : { "value" : "To mitigate this issue, prevent module xhci_pci from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }