CVE-2026-53305
Received Received - Intake
Kernel Oops in ps883x Type-C Driver on Unbind

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ps883x: Fix Oops at unbind When trying to unbind a device in order to bind to it vfio-platform as: echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind I get the following Oops: [ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0 That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53305
EUVD
EUVD-2026-39840
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel 7.0.0-rc3-g56fcdd0911a5-dirty
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB Type-C driver for the ps883x retimer device. When attempting to unbind the device, the kernel encounters an 'Oops' error caused by a NULL pointer dereference. This happens because the driver data is retrieved using i2c_get_clientdata(), but this data was never set during the device probe phase. The fix involves setting the driver data properly with i2c_set_clientdata() at the end of the probe function to prevent the NULL pointer dereference.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or become unstable when unbinding the affected USB Type-C device. The NULL pointer dereference leads to a kernel 'Oops', which is a serious error that can disrupt system operation, potentially causing loss of data or requiring a system reboot.

Detection Guidance

This vulnerability manifests as a kernel Oops when attempting to unbind a device using the unbind interface in sysfs.

You can detect the vulnerability by attempting to unbind the device and observing if a kernel Oops occurs with messages similar to a NULL pointer dereference in the ps883x_retimer_remove function.

A command to trigger this check is:

  • echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind

If the kernel logs (dmesg) show an Oops with details about a NULL pointer dereference related to ps883x_retimer_remove, the system is vulnerable.

Mitigation Strategies

The vulnerability is fixed by ensuring that i2c_set_clientdata() is called at the end of the probe function for the ps883x driver to properly set driver data.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid unbinding the affected device (bc0000.geniqup) until the fix is applied.
  • Monitor kernel logs for Oops messages related to ps883x_retimer_remove to detect attempts that trigger the vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53305. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart