CVE-2022-50133 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2022-50133?

CVE-2022-50133 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's xHCI USB host controller driver causes a kernel panic during system reboot when xhci->shared_hcd is NULL. This affects Linux systems with specific USB hardware configurations, potentially causing denial of service.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's xHCI USB host controller driver causes a kernel panic during system reboot when xhci->shared_hcd is NULL. This affects Linux systems with specific USB hardware configurations, potentially causing denial of service.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions after commit 4736ebd7fcaff1eb8481c140ba494962847d6e0a up to fixes in stable releases

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only affects systems with xHCI USB controllers where shared_hcd can be NULL due to root hub having no ports.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System crash/kernel panic during reboot/shutdown, leading to potential data corruption or system instability.

🟠

Likely Case

System crash during reboot/shutdown on affected hardware configurations, requiring manual intervention.

🟢

If Mitigated

No impact if patched or on unaffected hardware configurations.

🌐 Internet-Facing: LOW - Requires local access to trigger via reboot/shutdown.

🏢 Internal Only: MEDIUM - Local users or automated processes triggering reboots could cause system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Triggered by normal system reboot/shutdown operations on vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in stable kernel releases via commits 371a8af4f26e06b4d51d893b4436f520b48d07fd and d7de14d74d6551f0d097430f9893ce82ad17e5b8

Vendor Advisory: https://git.kernel.org/stable/c/371a8af4f26e06b4d51d893b4436f520b48d07fd

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel.

🔧 Temporary Workarounds

Avoid system reboot

linux

Prevent triggering the vulnerability by avoiding reboots until patched

🧯 If You Can't Patch

Monitor system logs for kernel panic events during reboots
Consider disabling USB devices that might trigger the condition if not essential

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if system experiences crashes during reboot with USB devices connected

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits and test reboot functionality

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning 'NULL pointer dereference' in xhci_plat_remove or usb_remove_hcd
System crash during reboot/shutdown

SIEM Query:

kernel.panic OR "NULL pointer dereference" AND (xhci OR usb_remove_hcd)

📊 Metadata

CVE ID: CVE-2022-50133

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: June 18, 2025

Last Updated: November 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-50133, you might also want to check these: