CVE-2024-26995 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: Correct the PDO counting in pd_set

Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are incorrectly added one. The index of the loop is equal to the number of PDOs to be updated when leaving the loop and it doesn't need to be added one.

When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as the size of the local sink PDO array to match the Source capabilities of the partner port. If the off-by-one overflow occurs, a wrong RDO might be sent and unexpected power transfer might happen such as over voltage or over current (than expected).

"nr_src_pdo" is used to set the Rp level when the port is in Source role. It is also the array size of the local Source capabilities when filling up the buffer which will be sent as the Source PDOs (such as in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp level might be set and wrong Source PDOs will be sent to the partner port. This could potentially cause over current or port resets.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/06/2026

The vulnerability described in CVE-2024-26995 resides within the Linux kernel's USB Type-C implementation, specifically within the TCPM (Type-C Port Manager) subsystem that handles power delivery negotiations. This flaw manifests as an off-by-one error in the pd_set function where the variables nr_snk_pdo and nr_src_pdo are incorrectly incremented by one during power negotiation processes. The technical root cause occurs when loop indices are used to determine array bounds, where the loop termination condition results in an additional increment that should not occur, leading to incorrect array boundary calculations. This vulnerability is classified under CWE-191 Integer Underflow/Overflow, which represents a fundamental programming error where integer arithmetic operations produce values outside the range of the data type, potentially leading to memory corruption or unexpected behavior.

The operational impact of this vulnerability extends across USB power delivery negotiations where the TCPM component must accurately calculate power requirements and capabilities between connected devices. When the nr_snk_pdo variable is incorrectly incremented, the system misinterprets the size of the local sink PDO (Power Data Object) array, causing the TCPM to send incorrect RDO (Request Data Object) messages to partner ports. This misconfiguration could result in unintended power transfer scenarios including overvoltage or overcurrent conditions that exceed expected power delivery parameters. The nr_src_pdo variable's incorrect handling affects source port operations where it determines the Rp (resistor pull-up) level and the size of source capabilities arrays. When this variable is miscalculated, incorrect Rp levels may be set and malformed source PDOs are transmitted to partner devices, potentially causing overcurrent situations or port resets that disrupt normal device operation.

The security implications of this vulnerability are significant within the context of USB power delivery protocols and device safety standards. The potential for overvoltage or overcurrent conditions represents a risk to both device hardware integrity and user safety, as these power delivery anomalies could cause component damage or thermal runaway in connected devices. From an ATT&CK framework perspective, this vulnerability could be leveraged in supply chain attacks or device compromise scenarios where malicious actors manipulate power delivery negotiations to create persistent access vectors. The vulnerability affects the integrity of the USB Type-C power delivery protocol implementation, potentially allowing adversaries to disrupt normal device operations or create conditions that could lead to more serious security incidents. Mitigation strategies should include immediate kernel updates to address the specific off-by-one error in the TCPM subsystem, along with comprehensive testing of USB power delivery functionality to ensure proper PDO counting and power negotiation behavior. Organizations should also implement monitoring for unusual power delivery patterns and consider device-specific security measures to detect and respond to potential exploitation attempts targeting this vulnerability.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00236

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!