CVE-2022-50470: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel (CVE-2022-50470) was discovered that affects the xHCI (eXtensible Host Controller Interface) driver. The issue involves improper handling of device endpoints in the bandwidth list when freeing virtual devices. This vulnerability was disclosed on October 4, 2025, and primarily affects systems using Intel Panther Point PCH (Ivy Bridge) hardware that implements software bandwidth checking (NVD, Ubuntu).

The vulnerability occurs when the xHC host is dying or being removed, causing endpoints to not be dropped cleanly due to functions returning early to avoid interacting with a non-accessible host controller. This leads to a listdel corruption kernel crash when unbinding xhci-pci, specifically when xhcimem_cleanup() attempts to delete already freed endpoints from the bandwidth list. The issue is specifically limited to hosts that use software bandwidth checking, which is currently only implemented in the Intel Panther Point PCH (Ivy Bridge) xHC (RedHat).

The vulnerability can result in a kernel crash when unbinding the xhci-pci driver, potentially causing system instability. The impact is limited to specific hardware configurations using Intel Panther Point PCH (Ivy Bridge) with software bandwidth checking (RedHat).

To mitigate this issue, system administrators can prevent the xhci_pci module from being loaded. For systems where patches are available, updates have been released for various Linux distributions including Ubuntu 16.04 LTS (4.15.0-206.217~16.04.1) and other versions. Red Hat provides a workaround by blacklisting the kernel module to prevent it from loading automatically (RedHat, Ubuntu).