CVE-2024-40903 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps
There could be a potential use-after-free case in tcpm_register_source_caps(). This could happen when: * new (say invalid) source caps are advertised * the existing source caps are unregistered * tcpm_register_source_caps() returns with an error as usb_power_delivery_register_capabilities() fails
This causes port->partner_source_caps to hold on to the now freed source caps.
Reset port->partner_source_caps value to NULL after unregistering existing source caps.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/03/2025
The vulnerability described in CVE-2024-40903 resides within the Linux kernel's USB Type-C power delivery subsystem, specifically in the tcpm_register_source_caps function. This represents a classic use-after-free condition that can occur during dynamic source capability updates in USB Type-C ports. The flaw manifests when the system attempts to register new source capabilities while simultaneously unregistering existing ones, creating a temporal window where memory management becomes inconsistent. The vulnerability is particularly concerning because it operates within the core USB Type-C power delivery framework that governs how devices negotiate power delivery capabilities, making it a critical component in the broader USB ecosystem.
The technical implementation of this vulnerability involves a race condition between the unregistering of existing source capabilities and the registration of new ones. When invalid source capabilities are advertised, the system attempts to clean up previous capabilities through the unregistering process, but fails to properly reset the port's partner_source_caps pointer. This creates a scenario where the memory location previously holding source capability data becomes freed, yet the port structure continues to reference that now-invalid memory address. The root cause stems from the lack of proper nullification of the partner_source_caps pointer after successful unregistration, allowing the system to maintain a dangling pointer reference that can lead to memory corruption or arbitrary code execution.
From an operational perspective, this vulnerability poses significant risks to Linux-based systems that rely on USB Type-C power delivery functionality, particularly in laptops, desktops, and mobile devices where power negotiation occurs frequently. The use-after-free condition can potentially be exploited by malicious actors to execute arbitrary code with kernel privileges, as the dangling pointer reference may be manipulated to point to attacker-controlled memory regions. This vulnerability directly impacts the reliability and security of USB Type-C power delivery operations, affecting systems that support USB Power Delivery (PD) protocols and Type-C connector management. The vulnerability affects all Linux kernel versions that implement the USB Type-C power delivery subsystem, making it a widespread concern across various device types and deployment scenarios.
The mitigation strategy involves implementing proper memory management practices within the tcpm_register_source_caps function by ensuring that port->partner_source_caps is explicitly reset to NULL immediately after unregistering existing source capabilities. This prevents the dangling pointer scenario and maintains proper memory integrity throughout the capability registration process. System administrators should prioritize applying kernel updates that contain this fix, particularly in environments where USB Type-C power delivery is heavily utilized. The vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions in software implementations, and could potentially map to ATT&CK technique T1068, as it represents a privilege escalation vector through kernel memory corruption. Organizations should also implement monitoring for unusual USB Type-C power delivery behavior and maintain up-to-date kernel security patches to prevent exploitation of this vulnerability across their device fleet.