CVE-2024-36893

usb: typec: tcpm: Check for port partner validity before consuming it

Description

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: Check for port partner validity before consuming it typec_register_partner() does not guarantee partner registration to always succeed. In the event of failure, port->partner is set to the error value or NULL. Given that port->partner validity is not checked, this results in the following crash: Unable to handle kernel NULL pointer dereference at virtual address xx pc : run_state_machine+0x1bc8/0x1c08 lr : run_state_machine+0x1b90/0x1c08 .. Call trace: run_state_machine+0x1bc8/0x1c08 tcpm_state_machine_work+0x94/0xe4 kthread_worker_fn+0x118/0x328 kthread+0x1d0/0x23c ret_from_fork+0x10/0x20 To prevent the crash, check for port->partner validity before derefencing it in all the call sites.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/2a07e6f0ad8a6e504a3912cfe8dc859b7d0740a5
https://git.kernel.org/stable/c/d56d2ca03cc22123fd7626967d096d8661324e57 patch
https://git.kernel.org/stable/c/789326cafbd1f67f424436b6bc8bdb887a364637 patch
https://git.kernel.org/stable/c/fc2b655cb6dd2b381f1f284989721002e39b6b77 patch
https://git.kernel.org/stable/c/ae11f04b452b5205536e1c02d31f8045eba249dd patch

Frequently Asked Questions

What is the severity of CVE-2024-36893?
CVE-2024-36893 has been scored as a medium severity vulnerability.
How to fix CVE-2024-36893?
To fix CVE-2024-36893, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-36893 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-36893 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-36893?
CVE-2024-36893 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.