Description
In the Linux kernel, the following vulnerability has been resolved:

usb: typec: Fix error pointer dereference

The variable tps->partner is checked for an error pointer and then if it
is, it sends an error message but does not return and then immediately
dereferenced a few lines below:

tps->partner = typec_register_partner(tps->port, &desc);
if (IS_ERR(tps->partner))
dev_warn(tps->dev, "%s: failed to register partnet\n", __func__);

if (desc.identity) {
typec_partner_set_identity(tps->partner);
cd321x->cur_partner_identity = st.partner_identity;
}

Add early return and fix spelling mistake in error message.

Detected by Smatch:
drivers/usb/typec/tipd/core.c:827 cd321x_update_work() error:
'tps->partner' dereferencing possible ERR_PTR()
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in the Linux kernel USB Type‑C driver when a partnership registration fails; the code reports the error but continues to use the returned pointer, which may contain an error value. Dereferencing this value can cause the kernel to crash, resulting in a denial‑of‑service condition. The vulnerability does not provide a direct path to code execution, but a kernel panic could be leveraged by a privileged adversary to compromise the system. The defect was identified by the Smatch static analyzer and confirmed by a specific commit sequence that fixed the missing early return and corrected a typo in the warning message.

Affected Systems

All Linux kernel builds that include the USB Type‑C driver with a partner registration routine are affected. No specific kernel version range is listed; the issue exists in any release that contains the buggy code before the documented commits. Updating to a kernel version incorporating the fixes from the referenced commits or newer kernels should eliminate the problem.

Risk and Exploitability

The vulnerability requires physical access to a USB Type‑C device that triggers a partner registration failure. Attack complexity is low, and local access is sufficient. The exploitation likelihood is uncertain due to lack of EPSS data, but the impact of a kernel crash is high. Although the CVSS score is not stated, the potential for a DoS scenario places this flaw in a moderate‑to‑high risk category. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

Generated by OpenCVE AI on June 24, 2026 at 18:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for the Type‑C driver – the relevant commits can be found in the kernel source tree. Specifically, apply the changes introduced by commits 19951118fb22b5ad512379ee64510fe0e2c40eb3, 9e31082f92c913d74fefb4e60cd0284e605ba3a3, and f2529d08fcb429ea01bb87c326342f41483f8b2f.
  • If a kernel upgrade is not possible immediately, disable the USB Type‑C driver by configuring CONFIG_USB_TYPEC=n or unloading the associated module to prevent the faulty code from executing.
  • After applying the update or disabling the driver, validate system stability by connecting a USB Type‑C device and monitoring kernel logs for any usb_typec related warnings or errors.

Generated by OpenCVE AI on June 24, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: typec: Fix error pointer dereference The variable tps->partner is checked for an error pointer and then if it is, it sends an error message but does not return and then immediately dereferenced a few lines below: tps->partner = typec_register_partner(tps->port, &desc); if (IS_ERR(tps->partner)) dev_warn(tps->dev, "%s: failed to register partnet\n", __func__); if (desc.identity) { typec_partner_set_identity(tps->partner); cd321x->cur_partner_identity = st.partner_identity; } Add early return and fix spelling mistake in error message. Detected by Smatch: drivers/usb/typec/tipd/core.c:827 cd321x_update_work() error: 'tps->partner' dereferencing possible ERR_PTR()
Title usb: typec: Fix error pointer dereference
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:36.615Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53028

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses