CVE-2022-50470 Affecting libperf package, versions *


Severity

Recommended
medium

Based on CentOS security rating.

Threat Intelligence

EPSS
0.02% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS9-LIBPERF-13342425
  • published7 Oct 2025
  • disclosed4 Oct 2025

Introduced: 4 Oct 2025

NewCVE-2022-50470  (opens in a new tab)

How to fix?

There is no fixed version for Centos:9 libperf.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos. See How to fix? for Centos:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

xhci: Remove device endpoints from bandwidth list when freeing the device

Endpoints are normally deleted from the bandwidth list when they are dropped, before the virt device is freed.

If xHC host is dying or being removed then the endpoints aren't dropped cleanly due to functions returning early to avoid interacting with a non-accessible host controller.

So check and delete endpoints that are still on the bandwidth list when freeing the virt device.

Solves a list_del corruption kernel crash when unbinding xhci-pci, caused by xhci_mem_cleanup() when it later tried to delete already freed endpoints from the bandwidth list.

This only affects hosts that use software bandwidth checking, which currenty is only the xHC in intel Panther Point PCH (Ivy Bridge)

CVSS Base Scores

version 3.1