CVE-2021-46980: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command.
AI Analysis
Technical Summary
CVE-2021-46980 is a vulnerability in the Linux kernel's USB Type-C subsystem, specifically within the USB Type-C Connector System Software Interface (UCSI) driver. The issue arises from improper handling of Power Data Objects (PDOs) during USB Power Delivery (PD) negotiations. The vulnerability was introduced in commit 4dbc6a4ef06d, which aimed to retrieve PDOs from a PD-capable power source. However, due to a limitation in the MESSAGE_IN length (16 bytes), only the first 4 PDOs were fetched, despite the PD specification allowing up to 7 PDOs. If a connected PD source advertises more than 4 PDOs and the Power Policy Manager (PPM) negotiates a power contract with a PDO beyond the fourth index, the driver attempts to access an out-of-bounds index in the src_pdos array. This results in an out-of-bounds memory access when the rdo_index() function indexes into src_pdos in the ucsi_psy_get_voltage_now() function. The vulnerability can cause kernel crashes, as evidenced by kernel BRK exceptions and internal errors in the call trace. The root cause is that the driver does not retrieve all PDOs in a single call, and the fix involves making multiple GET_PDOS calls to retrieve and store up to the maximum 7 PDOs allowed by the PD specification. This vulnerability can lead to kernel instability and potential denial of service (DoS) conditions when connecting to malicious or specially crafted PD power sources advertising more than 4 PDOs. Although no known exploits are reported in the wild, the vulnerability is significant due to its kernel-level impact and the ubiquity of Linux in various devices and systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that interact with USB Type-C PD power sources. The impact includes potential kernel crashes leading to system instability or denial of service, which can disrupt critical operations, especially in environments relying on Linux-based infrastructure such as servers, embedded devices, and workstations. Organizations using Linux laptops or devices powered via USB Type-C PD adapters could experience unexpected reboots or failures if connected to malicious or misconfigured PD power sources. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting denial of service could impact availability of services and systems. In sectors like manufacturing, telecommunications, and critical infrastructure—where Linux is prevalent—this could translate to operational downtime. Additionally, the vulnerability could be exploited in targeted attacks where adversaries supply malicious PD power sources to cause disruption. Given the increasing adoption of USB Type-C in enterprise hardware, the threat surface is broad. However, the lack of known exploits and the requirement for physical connection to a malicious PD source somewhat limits remote exploitation, reducing the overall risk to remote or cloud-based systems.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Ensure Linux systems are updated to kernel versions where this vulnerability is patched, specifically those that implement the fix to retrieve all PDOs via multiple GET_PDOS calls. 2) Implement strict hardware supply chain controls to prevent the introduction of malicious or non-compliant USB Type-C PD power sources, especially in sensitive environments. 3) Employ endpoint security solutions that monitor kernel stability and log unusual USB device behaviors to detect potential exploitation attempts. 4) For critical systems, consider disabling USB Type-C PD negotiation or restricting USB device connections where feasible. 5) Conduct regular audits of connected USB devices and power adapters to ensure compliance with PD specifications. 6) Engage with hardware vendors to verify that supplied USB Type-C power adapters conform to standards and do not advertise excessive PDOs beyond specification limits. These measures go beyond generic patching by addressing the physical and operational vectors that could be exploited.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-46980: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command.
AI-Powered Analysis
Technical Analysis
CVE-2021-46980 is a vulnerability in the Linux kernel's USB Type-C subsystem, specifically within the USB Type-C Connector System Software Interface (UCSI) driver. The issue arises from improper handling of Power Data Objects (PDOs) during USB Power Delivery (PD) negotiations. The vulnerability was introduced in commit 4dbc6a4ef06d, which aimed to retrieve PDOs from a PD-capable power source. However, due to a limitation in the MESSAGE_IN length (16 bytes), only the first 4 PDOs were fetched, despite the PD specification allowing up to 7 PDOs. If a connected PD source advertises more than 4 PDOs and the Power Policy Manager (PPM) negotiates a power contract with a PDO beyond the fourth index, the driver attempts to access an out-of-bounds index in the src_pdos array. This results in an out-of-bounds memory access when the rdo_index() function indexes into src_pdos in the ucsi_psy_get_voltage_now() function. The vulnerability can cause kernel crashes, as evidenced by kernel BRK exceptions and internal errors in the call trace. The root cause is that the driver does not retrieve all PDOs in a single call, and the fix involves making multiple GET_PDOS calls to retrieve and store up to the maximum 7 PDOs allowed by the PD specification. This vulnerability can lead to kernel instability and potential denial of service (DoS) conditions when connecting to malicious or specially crafted PD power sources advertising more than 4 PDOs. Although no known exploits are reported in the wild, the vulnerability is significant due to its kernel-level impact and the ubiquity of Linux in various devices and systems.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions that interact with USB Type-C PD power sources. The impact includes potential kernel crashes leading to system instability or denial of service, which can disrupt critical operations, especially in environments relying on Linux-based infrastructure such as servers, embedded devices, and workstations. Organizations using Linux laptops or devices powered via USB Type-C PD adapters could experience unexpected reboots or failures if connected to malicious or misconfigured PD power sources. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting denial of service could impact availability of services and systems. In sectors like manufacturing, telecommunications, and critical infrastructure—where Linux is prevalent—this could translate to operational downtime. Additionally, the vulnerability could be exploited in targeted attacks where adversaries supply malicious PD power sources to cause disruption. Given the increasing adoption of USB Type-C in enterprise hardware, the threat surface is broad. However, the lack of known exploits and the requirement for physical connection to a malicious PD source somewhat limits remote exploitation, reducing the overall risk to remote or cloud-based systems.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Ensure Linux systems are updated to kernel versions where this vulnerability is patched, specifically those that implement the fix to retrieve all PDOs via multiple GET_PDOS calls. 2) Implement strict hardware supply chain controls to prevent the introduction of malicious or non-compliant USB Type-C PD power sources, especially in sensitive environments. 3) Employ endpoint security solutions that monitor kernel stability and log unusual USB device behaviors to detect potential exploitation attempts. 4) For critical systems, consider disabling USB Type-C PD negotiation or restricting USB device connections where feasible. 5) Conduct regular audits of connected USB devices and power adapters to ensure compliance with PD specifications. 6) Engage with hardware vendors to verify that supplied USB Type-C power adapters conform to standards and do not advertise excessive PDOs beyond specification limits. These measures go beyond generic patching by addressing the physical and operational vectors that could be exploited.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.945Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9996
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:40:05 PM
Last updated: 7/29/2025, 7:28:47 PM
Views: 10
Related Threats
CVE-2025-9022: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-9021: SQL Injection in SourceCodester Online Bank Management System
MediumCVE-2025-9020: Use After Free in PX4 PX4-Autopilot
LowCVE-2025-8604: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wptb WP Table Builder – WordPress Table Plugin
MediumCVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.