CVE-2025-22022: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Apply the link chain quirk on NEC isoc endpoints Two clearly different specimens of NEC uPD720200 (one with start/stop bug, one without) were seen to cause IOMMU faults after some Missed Service Errors. Faulting address is immediately after a transfer ring segment and patched dynamic debug messages revealed that the MSE was received when waiting for a TD near the end of that segment: [ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0 [ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000] [ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000] It gets even funnier if the next page is a ring segment accessible to the HC. Below, it reports MSE in segment at ff1e8000, plows through a zero-filled page at ff1e9000 and starts reporting events for TRBs in page at ff1ea000 every microframe, instead of jumping to seg ff1e6000. [ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag. [ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 At some point completion events change from Isoch Buffer Overrun to Short Packet and the HC finally finds cycle bit mismatch in ff1ec000. [ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2 It's possible that data from the isochronous device were written to random buffers of pending TDs on other endpoints (either IN or OUT), other devices or even other HCs in the same IOMMU domain. Lastly, an error from a different USB device on another HC. Was it caused by the above? I don't know, but it may have been. The disk was working without any other issues and generated PCIe traffic to starve the NEC of upstream BW and trigger those MSEs. The two HCs shared one x1 slot by means of a commercial "PCIe splitter" board. [ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd [ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s [ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00 [ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0 Fortunately, it appears that this ridiculous bug is avoided by setting the chain bit of Link TRBs on isochronous rings. Other ancient HCs are known which also expect the bit to be set and they ignore Link TRBs if it's not. Reportedly, 0.95 spec guaranteed that the bit is set. The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports tens of MSEs per second and runs into the bug within seconds. Chaining Link TRBs allows the same workload to run for many minutes, many times. No ne ---truncated---
AI Analysis
Technical Summary
CVE-2025-22022 is a vulnerability identified in the Linux kernel's USB xHCI (Extensible Host Controller Interface) driver, specifically affecting NEC uPD720200 USB host controllers. The issue arises due to improper handling of isochronous endpoint transfer rings when the 'chain bit' in Link TRBs (Transfer Request Blocks) is not set as expected. This leads to Missed Service Errors (MSEs) and subsequent IOMMU (Input-Output Memory Management Unit) faults. The kernel logs reveal buffer overruns, transfer event errors, and cycle bit mismatches, indicating that data from isochronous USB devices could be erroneously written into random buffers associated with other endpoints, devices, or even other host controllers within the same IOMMU domain. This mismanagement can cause data corruption, unexpected device resets, and I/O errors, as evidenced by errors in USB device resets and disk read failures. The root cause is linked to the NEC host controller's failure to set the chain bit on Link TRBs, which is mandated by the USB 0.95 specification. The vulnerability is mitigated by applying a quirk that enforces the chain bit setting on isochronous endpoints for affected NEC controllers, preventing the buffer overruns and transfer errors. Although no known exploits are reported in the wild, the bug can cause significant instability in systems using these NEC USB controllers, especially under bandwidth-starved conditions or when PCIe bandwidth contention occurs. The vulnerability affects Linux kernel versions identified by specific commit hashes, and the fix involves kernel patches to apply the link chain quirk on NEC isochronous endpoints.
Potential Impact
For European organizations, the impact of CVE-2025-22022 can be significant in environments relying on Linux systems with NEC uPD720200 USB host controllers, particularly in sectors where USB isochronous devices (such as video capture, audio interfaces, or specialized industrial equipment) are critical. The vulnerability can lead to data corruption, device malfunctions, unexpected resets, and I/O errors, potentially disrupting business operations, data integrity, and availability of critical services. Organizations using Linux-based servers, workstations, or embedded systems with these controllers may experience system instability or degraded performance. In industrial, healthcare, or media production environments where isochronous USB devices are common, the risk of operational disruption is heightened. Additionally, the vulnerability could indirectly affect systems sharing PCIe bandwidth, causing cascading failures. Although exploitation requires specific hardware conditions and does not appear to be remotely exploitable, the resulting instability and data integrity issues pose a medium to high operational risk.
Mitigation Recommendations
1. Apply the official Linux kernel patches that implement the link chain quirk for NEC uPD720200 isochronous endpoints as soon as they become available. 2. Identify and inventory systems using NEC uPD720200 USB host controllers to prioritize patch deployment. 3. Where patching is not immediately feasible, consider disabling or limiting the use of isochronous USB devices on affected systems to reduce exposure. 4. Monitor kernel logs for signs of Missed Service Errors, buffer overruns, or IOMMU faults related to USB xHCI to detect potential exploitation or instability. 5. Evaluate PCIe bandwidth allocation and avoid sharing PCIe slots via splitters for critical USB host controllers to minimize bandwidth starvation scenarios that trigger the bug. 6. Engage with hardware vendors to confirm firmware updates or hardware replacements if persistent issues occur despite software mitigations. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-22022: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Apply the link chain quirk on NEC isoc endpoints Two clearly different specimens of NEC uPD720200 (one with start/stop bug, one without) were seen to cause IOMMU faults after some Missed Service Errors. Faulting address is immediately after a transfer ring segment and patched dynamic debug messages revealed that the MSE was received when waiting for a TD near the end of that segment: [ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0 [ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000] [ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000] It gets even funnier if the next page is a ring segment accessible to the HC. Below, it reports MSE in segment at ff1e8000, plows through a zero-filled page at ff1e9000 and starts reporting events for TRBs in page at ff1ea000 every microframe, instead of jumping to seg ff1e6000. [ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag. [ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 At some point completion events change from Isoch Buffer Overrun to Short Packet and the HC finally finds cycle bit mismatch in ff1ec000. [ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2 It's possible that data from the isochronous device were written to random buffers of pending TDs on other endpoints (either IN or OUT), other devices or even other HCs in the same IOMMU domain. Lastly, an error from a different USB device on another HC. Was it caused by the above? I don't know, but it may have been. The disk was working without any other issues and generated PCIe traffic to starve the NEC of upstream BW and trigger those MSEs. The two HCs shared one x1 slot by means of a commercial "PCIe splitter" board. [ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd [ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s [ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00 [ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0 Fortunately, it appears that this ridiculous bug is avoided by setting the chain bit of Link TRBs on isochronous rings. Other ancient HCs are known which also expect the bit to be set and they ignore Link TRBs if it's not. Reportedly, 0.95 spec guaranteed that the bit is set. The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports tens of MSEs per second and runs into the bug within seconds. Chaining Link TRBs allows the same workload to run for many minutes, many times. No ne ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22022 is a vulnerability identified in the Linux kernel's USB xHCI (Extensible Host Controller Interface) driver, specifically affecting NEC uPD720200 USB host controllers. The issue arises due to improper handling of isochronous endpoint transfer rings when the 'chain bit' in Link TRBs (Transfer Request Blocks) is not set as expected. This leads to Missed Service Errors (MSEs) and subsequent IOMMU (Input-Output Memory Management Unit) faults. The kernel logs reveal buffer overruns, transfer event errors, and cycle bit mismatches, indicating that data from isochronous USB devices could be erroneously written into random buffers associated with other endpoints, devices, or even other host controllers within the same IOMMU domain. This mismanagement can cause data corruption, unexpected device resets, and I/O errors, as evidenced by errors in USB device resets and disk read failures. The root cause is linked to the NEC host controller's failure to set the chain bit on Link TRBs, which is mandated by the USB 0.95 specification. The vulnerability is mitigated by applying a quirk that enforces the chain bit setting on isochronous endpoints for affected NEC controllers, preventing the buffer overruns and transfer errors. Although no known exploits are reported in the wild, the bug can cause significant instability in systems using these NEC USB controllers, especially under bandwidth-starved conditions or when PCIe bandwidth contention occurs. The vulnerability affects Linux kernel versions identified by specific commit hashes, and the fix involves kernel patches to apply the link chain quirk on NEC isochronous endpoints.
Potential Impact
For European organizations, the impact of CVE-2025-22022 can be significant in environments relying on Linux systems with NEC uPD720200 USB host controllers, particularly in sectors where USB isochronous devices (such as video capture, audio interfaces, or specialized industrial equipment) are critical. The vulnerability can lead to data corruption, device malfunctions, unexpected resets, and I/O errors, potentially disrupting business operations, data integrity, and availability of critical services. Organizations using Linux-based servers, workstations, or embedded systems with these controllers may experience system instability or degraded performance. In industrial, healthcare, or media production environments where isochronous USB devices are common, the risk of operational disruption is heightened. Additionally, the vulnerability could indirectly affect systems sharing PCIe bandwidth, causing cascading failures. Although exploitation requires specific hardware conditions and does not appear to be remotely exploitable, the resulting instability and data integrity issues pose a medium to high operational risk.
Mitigation Recommendations
1. Apply the official Linux kernel patches that implement the link chain quirk for NEC uPD720200 isochronous endpoints as soon as they become available. 2. Identify and inventory systems using NEC uPD720200 USB host controllers to prioritize patch deployment. 3. Where patching is not immediately feasible, consider disabling or limiting the use of isochronous USB devices on affected systems to reduce exposure. 4. Monitor kernel logs for signs of Missed Service Errors, buffer overruns, or IOMMU faults related to USB xHCI to detect potential exploitation or instability. 5. Evaluate PCIe bandwidth allocation and avoid sharing PCIe slots via splitters for critical USB host controllers to minimize bandwidth starvation scenarios that trigger the bug. 6. Engage with hardware vendors to confirm firmware updates or hardware replacements if persistent issues occur despite software mitigations. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.807Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7e8a
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 7:55:24 PM
Last updated: 8/12/2025, 9:51:16 PM
Views: 16
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.