Description
In the Linux kernel, the following vulnerability has been resolved:

platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration

cros_typec_register_thunderbolt() missed initializing the `adata->lock`
mutex. This leads to a NULL dereference when the mutex is later
acquired (e.g. in cros_typec_altmode_work()).

Initialize the mutex in cros_typec_register_thunderbolt() to fix the
issue.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from a missing initialization of the mutex in cros_ec_typec's Thunderbolt registration routine. When an attacker successfully triggers the registration process – for example by connecting a crafted Thunderbolt device – the subsequent attempt to lock the uninitialized mutex results in a null‑pointer dereference, causing a kernel oops and system crash. This flaw is classified as a null‑pointer dereference (CWE‑476) and an improper initialization (CWE‑665). The consequence is a denial of service; no arbitrary code execution is possible.

Affected Systems

This issue affects the Linux kernel's Chrome OS cros_ec_typec driver, which is part of the platform/chrome subsystem. Any system – including Chrome OS devices or distributions that ship a kernel containing the unpatched cros_ec_typec module – can be impacted if Thunderbolt support is enabled. The vulnerability does not require any user‑level privileges beyond the ability to trigger the registration routine via a Thunderbolt device.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, making it difficult to quantify the exact severity. The vulnerability is not listed in CISA’s KEV catalog, suggesting that no widespread exploitation has been observed. Because the flaw requires direct interaction with the Thunderbolt subsystem, the attack vector is local or requires the attacker to control the device connecting to the target. The risk is therefore moderate and primarily limited to causing a system crash rather than enabling remote code execution.

Generated by OpenCVE AI on May 28, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch to initialize the mutex in cros_typec_register_thunderbolt.
  • Upgrade to the latest supported kernel release from your distribution’s repository if one is available.
  • If an update cannot be applied, disable Thunderbolt support either by blacklisting the cros_ec_typec module or by adding kernel boot parameters that prevent the driver from loading.

Generated by OpenCVE AI on May 28, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex. This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()). Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.
Title platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:48.624Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46134

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.970

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T13:30:15Z

Weaknesses

No weakness.