CVE-2025-22022 – A vulnerability in the Linux kernel's xHCI USB ... (How to Fix)

Q: What is the severity of CVE-2025-22022?

CVE-2025-22022 has a CVSS score of 7.8 (HIGH). A vulnerability in the Linux kernel's xHCI USB driver allows a malicious USB device to cause memory corruption and potential data leakage. When specific NEC USB controllers experience bandwidth starvation, they can write data to incorrect memory locations, potentially exposing sensitive information or causing system instability. This affects Linux systems with vulnerable kernel versions and specific NEC USB hardware.

📋 TL;DR

A vulnerability in the Linux kernel's xHCI USB driver allows a malicious USB device to cause memory corruption and potential data leakage. When specific NEC USB controllers experience bandwidth starvation, they can write data to incorrect memory locations, potentially exposing sensitive information or causing system instability. This affects Linux systems with vulnerable kernel versions and specific NEC USB hardware.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before the fix commits (specific versions vary by distribution)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires specific NEC uPD720200 USB controllers and bandwidth starvation conditions. Systems with IOMMU enabled are more severely affected.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious USB device could write data to arbitrary memory locations, potentially leading to privilege escalation, data corruption, or information disclosure across devices sharing the same IOMMU domain.

🟠

Likely Case

USB device causing IOMMU faults and system instability, potentially leading to data corruption or crashes when specific NEC controllers are bandwidth-starved.

🟢

If Mitigated

With proper USB device restrictions and IOMMU isolation, impact is limited to denial of service or data corruption within the affected USB subsystem.

🌐 Internet-Facing: LOW - Requires physical or local USB device access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Requires physical USB access or compromised USB device, but could be exploited by malicious insiders or through supply chain attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires specific hardware, bandwidth starvation conditions, and physical USB access.

Exploitation requires a malicious USB device and specific hardware conditions. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 061a1683bae6ef56ab8fa392725ba7495515cd1d, 1143f790a6316201dc8f067eba4c94ea97ecb6ca, 43a18225150ce874d23b37761c302a5dffee1595, 8b586de6f03c850ff48d42e539b4708d1f3f8f1a, a4931d9fb99eb5462f3eaa231999d279c40afb21

Vendor Advisory: https://git.kernel.org/stable/c/061a1683bae6ef56ab8fa392725ba7495515cd1d

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable affected USB controllers

linux

Blacklist or disable NEC uPD720200 USB controllers if not needed

echo 'blacklist xhci_pci' >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
reboot

Enable strict IOMMU isolation

linux

Configure IOMMU to provide stronger isolation between devices

Add 'iommu=strict' to kernel boot parameters in /etc/default/grub
update-grub
reboot

🧯 If You Can't Patch

Restrict physical USB access to trusted devices only
Implement USB device whitelisting policies and monitoring

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if system has NEC USB controllers: 'uname -r' and 'lspci | grep -i nec'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is patched and check for absence of xhci_hcd error messages in dmesg

📡 Detection & Monitoring

Log Indicators:

xhci_hcd: Miss service interval error
xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT
xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD
xhci_hcd: WARN: buffer overrun event

Network Indicators:

Not network exploitable - physical access required

SIEM Query:

source="kernel" AND ("xhci_hcd" AND ("Miss service interval" OR "IO_PAGE_FAULT" OR "buffer overrun"))

📊 Metadata

CVE ID: CVE-2025-22022

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.05% exploit probability (15.9th percentile)

Published: April 16, 2025

Last Updated: January 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22022, you might also want to check these: