CVE-2024-50268 in Linux
Summary
by MITRE • 11/19/2024
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
The "*cmd" variable can be controlled by the user via debugfs. That means "new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).
The call tree is: ucsi_cmd() // val comes from simple_attr_write_xsigned() -> ucsi_send_command() -> ucsi_send_command_common() -> ucsi_run_command() // calls ucsi->ops->sync_control() -> ucsi_ccg_sync_control()
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/22/2025
The vulnerability CVE-2024-50268 represents a critical out-of-bounds memory access flaw within the Linux kernel's USB Type-C subsystem, specifically in the UCSI (USB Type-C Connector System Interface) implementation. This vulnerability resides in the ucsi_ccg_update_set_new_cam_cmd() function where user-controllable input can lead to memory corruption. The flaw occurs when the "*cmd" variable receives values through debugfs interface, allowing arbitrary control over the "new_cam" parameter which can reach up to 255, significantly exceeding the UCSI_MAX_ALTMODES array boundary of 30 elements. This represents a classic buffer overflow condition that violates fundamental memory safety principles and aligns with CWE-129, which addresses insufficient bound checking for buffer access operations.
The attack vector exploits the debugfs interface mechanism where simple_attr_write_xsigned() processes user input and passes it directly to ucsi_cmd() function without proper validation. The call chain demonstrates how this user-controlled data flows through multiple layers including ucsi_send_command(), ucsi_send_command_common(), ucsi_run_command(), and ultimately reaches ucsi_ccg_sync_control() where the out-of-bounds access occurs. This systematic traversal through the kernel's USB Type-C subsystem illustrates how a single input validation failure can propagate through multiple abstraction layers, creating a path for potential privilege escalation or system instability. The vulnerability specifically targets the CCG (Cypress Chip Genie) USB Type-C controller implementation within the broader UCSI framework, making it particularly concerning for systems relying on USB Type-C connectivity for power delivery and data transfer operations.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to manipulate kernel memory structures and compromise system stability. When the new_cam value exceeds the 30-element uc->updated[] array bounds, the kernel may access memory locations outside the intended array, leading to unpredictable behavior, system crashes, or potential code execution. This type of vulnerability directly relates to ATT&CK technique T1068, which involves exploiting local privilege escalation opportunities through kernel vulnerabilities, and T1547.006, which covers the abuse of kernel modules and drivers. The vulnerability affects systems running Linux kernel versions that include the UCSI implementation, particularly those utilizing USB Type-C controllers that support the CCG protocol, creating widespread exposure across various computing platforms including desktops, servers, and embedded systems.
Mitigation strategies must address both immediate patching and defensive programming practices. The primary solution involves applying the kernel patch that implements proper bounds checking for the new_cam parameter against UCSI_MAX_ALTMODES, ensuring that user input is validated before array indexing occurs. Additionally, system administrators should restrict access to debugfs interfaces where possible, implementing proper access controls and monitoring for unauthorized modifications. The fix should incorporate input sanitization at the interface level, preventing values exceeding array boundaries from being processed by the kernel subsystem. Organizations should also consider implementing runtime protections such as kernel address space layout randomization and stack canaries to detect and prevent exploitation attempts. Regular kernel updates and security audits of USB Type-C subsystem implementations are essential for maintaining system integrity and preventing similar vulnerabilities from emerging in future releases.