CVE-2024-40903

usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in
tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source
caps. Reset port->partner_source_caps value to NULL after unregistering
existing source caps.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: typec: tcpm: arreglar el caso de use-after-free en tcpm_register_source_caps Podría haber un posible caso de use-after-free en tcpm_register_source_caps(). Esto podría suceder cuando: * se anuncian límites de fuente nuevos (por ejemplo, no válidos) * los límites de fuente existentes no están registrados * tcpm_register_source_caps() devuelve un error ya que usb_power_delivery_register_capabilities() falla Esto hace que port->partner_source_caps conserve los límites de fuente ahora liberados. Restablezca el valor de puerto->partner_source_caps a NULL después de cancelar el registro de los límites de origen existentes.

A vulnerability was found in the tcpm_register_source_caps function in the Linux kernel's USB Type-C TCPM component. This issue arises when new, potentially invalid source capabilities are advertised while existing capabilities are unregistered, leading to a use-after-free condition if the registration fails.

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails This causes port->partner_source_caps to hold on to the now freed source caps. Reset port->partner_source_caps value to NULL after unregistering existing source caps.

Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2025-05-04 CVE Updated
2025-06-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/cfcd544a9974c6b6fb37ca385146e4796dcaf66d	Vuln. Introduced
https://git.kernel.org/stable/c/b16abab1fb645c4b7a86c357dc83a48cf21c2795	Vuln. Introduced
https://git.kernel.org/stable/c/230ecdf71a644c9c73e0e6735b33173074ae3f94	Vuln. Introduced
https://git.kernel.org/stable/c/931b5f302d6f7126dbd6879c42d3d6ca580be423	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4053696594d7235f3638d49a00cf0f289e4b36a3	2024-06-21
https://git.kernel.org/stable/c/04c05d50fa79a41582f7bde8a1fd4377ae4a39e5	2024-06-21
https://git.kernel.org/stable/c/6b67b652849faf108a09647c7fde9b179ef24e2b	2024-06-21
https://git.kernel.org/stable/c/e7e921918d905544500ca7a95889f898121ba886	2024-06-04

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-40903	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2297487	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.91 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.91 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.31 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.31 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.9 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.9 < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.9 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.9 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.8.10 Search vendor "Linux" for product "Linux Kernel" and version "6.8.10"		en		Affected