CVE-2024-26932 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()
When unregister pd capabilitie in tcpm, KASAN will capture below double -free issue. The root cause is the same capabilitiy will be kfreed twice, the first time is kfreed by pd_capabilities_release() and the second time is explicitly kfreed by tcpm_port_unregister_pd().
[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc
[ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10
[ 4.001206]
[ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53
[ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)
[ 4.017569] Workqueue: events_unbound deferred_probe_work_func
[ 4.023456] Call trace:
[ 4.025920] dump_backtrace+0x94/0xec
[ 4.029629] show_stack+0x18/0x24
[ 4.032974] dump_stack_lvl+0x78/0x90
[ 4.036675] print_report+0xfc/0x5c0
[ 4.040289] kasan_report_invalid_free+0xa0/0xc0
[ 4.044937] __kasan_slab_free+0x124/0x154
[ 4.049072] kfree+0xb4/0x1e8
[ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc
[ 4.056725] tcpm_register_port+0x1dd0/0x2558
[ 4.061121] tcpci_register_port+0x420/0x71c
[ 4.065430] tcpci_probe+0x118/0x2e0
To fix the issue, this will remove kree() from tcpm_port_unregister_pd().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability CVE-2024-26932 represents a critical double-free error within the Linux kernel's USB Type-C driver subsystem, specifically affecting the tcpm (Type-C Port Manager) component. This issue occurs during the unregistering of power delivery capabilities in USB Type-C ports, creating a scenario where the same memory block is freed twice, leading to potential system instability and security risks. The problem manifests through KASAN (Kernel Address Sanitizer) detection, which identifies the double-free condition when attempting to release power delivery capabilities. The root cause stems from the tcpm_port_unregister_pd() function attempting to explicitly free memory that has already been freed by the pd_capabilities_release() function, creating a classic memory corruption vulnerability. This vulnerability resides within the USB Type-C subsystem's power delivery management code, which is responsible for handling the complex negotiations and power management protocols between USB Type-C devices and host systems.
The technical flaw specifically involves improper memory management within the USB Type-C power delivery subsystem, where the tcpm_port_unregister_pd() function contains redundant memory deallocation logic. When a USB Type-C port is being unregistered, the system first calls pd_capabilities_release() which frees the power delivery capabilities structure, but then tcpm_port_unregister_pd() explicitly calls kfree() on the same memory location, resulting in the double-free condition. This memory corruption can lead to arbitrary code execution, system crashes, or privilege escalation attacks. The vulnerability is classified under CWE-415 as Double Free, which is a well-known vulnerability pattern that occurs when a program attempts to free the same memory block twice, potentially allowing attackers to manipulate heap memory and execute malicious code. The ATT&CK framework categorizes this under T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) as it represents a memory corruption vulnerability that can be exploited to gain elevated privileges within the kernel space.
The operational impact of this vulnerability extends beyond simple system instability, as it can compromise the integrity of USB Type-C power delivery negotiations and potentially affect device connectivity and power management functionality. Systems utilizing USB Type-C ports for power delivery, particularly mobile devices, laptops, and embedded systems, face elevated risk during the dynamic registration and unregistration of USB Type-C ports. The vulnerability is particularly concerning in environments where USB Type-C ports are frequently connected and disconnected, as the double-free condition can occur during these operations. The exploitation of this vulnerability could allow an attacker to execute arbitrary code with kernel privileges, potentially leading to complete system compromise. This is especially relevant in mobile and embedded devices where USB Type-C ports are commonly used for both data transfer and power delivery, creating a larger attack surface for potential exploitation.
The fix for CVE-2024-26932 involves removing the explicit kfree() call from the tcpm_port_unregister_pd() function, eliminating the redundant memory deallocation that causes the double-free condition. This solution follows standard kernel memory management practices by ensuring that each allocated memory block is freed exactly once, preventing the corruption of kernel memory structures. The patch aligns with the principle of proper resource management and adheres to the Linux kernel's memory safety guidelines, which require that memory allocation and deallocation operations maintain strict one-to-one correspondence. Organizations should prioritize applying this patch to all systems running affected Linux kernel versions, particularly those utilizing USB Type-C ports for power delivery operations. The mitigation strategy should also include monitoring for any system instability or unexpected behavior following patch application, as kernel memory management fixes can sometimes introduce unexpected side effects in complex subsystem interactions. This vulnerability highlights the importance of thorough code review and testing of kernel subsystems, particularly those handling hardware device management and power delivery protocols, which are increasingly critical in modern computing environments.