CVE-2024-26995 is a vulnerability identified in the Linux kernel's USB Type-C Port Manager (TCPM) subsystem, specifically related to the handling of Power Data Objects (PDOs) during USB Power Delivery (PD) negotiation. The flaw stems from off-by-one errors in counting the number of sink PDOs (nr_snk_pdo) and source PDOs (nr_src_pdo). These counters are incorrectly incremented by one, causing the loop index to exceed the actual number of PDOs when iterating through these arrays. This results in an off-by-one overflow when TCPM processes the PDO arrays. During power negotiation, TCPM uses nr_snk_pdo to size the local sink PDO array to match the source capabilities of the connected partner port. An off-by-one overflow here can cause TCPM to send an incorrect Request Data Object (RDO), potentially leading to unexpected power transfer scenarios such as overvoltage or overcurrent conditions beyond the expected parameters. Similarly, nr_src_pdo is used when the port acts as a power source to set the Rp (pull-up resistor) level and to fill the buffer with source PDOs that are sent to the partner port. An off-by-one overflow in this context can cause TCPM to set an incorrect Rp level and send malformed source PDOs, which could result in overcurrent conditions or cause the port to reset unexpectedly. The vulnerability is rooted in incorrect array boundary management in the TCPM code, which can lead to power negotiation errors with connected USB Type-C devices. While no known exploits are currently reported in the wild, the potential for hardware damage or denial of service through power mismanagement exists. This vulnerability affects Linux kernel versions identified by the commit hash cd099cde4ed264403b434d8344994f97ac2a4349 and likely other versions containing the same TCPM code base. The issue was publicly disclosed on May 1, 2024, and has been acknowledged by the Linux project, though no CVSS score has been assigned yet.

For European organizations, this vulnerability poses risks primarily to devices and systems that rely on Linux-based kernels with USB Type-C ports managed by the TCPM subsystem. The impact includes potential hardware damage due to overvoltage or overcurrent conditions during USB Power Delivery negotiations, which can affect laptops, embedded systems, industrial control devices, and other hardware using USB-C for power. Unexpected port resets could lead to denial of service conditions, disrupting critical operations especially in industrial, healthcare, or infrastructure environments where Linux-powered devices are prevalent. The risk is heightened in sectors with extensive use of USB-C for power delivery and data, such as telecommunications, manufacturing, and enterprise IT. Additionally, since the vulnerability involves power negotiation, it could be exploited to degrade device reliability or cause intermittent failures, complicating troubleshooting and maintenance. Although no active exploits are known, the potential for physical damage or operational disruption makes this a significant concern for organizations with large Linux deployments. The vulnerability also raises safety concerns, as improper power delivery can damage connected peripherals or the host device itself, leading to increased repair costs and downtime.

To mitigate CVE-2024-26995, European organizations should prioritize updating their Linux kernel to the latest patched versions that correct the off-by-one errors in the TCPM code. Kernel updates should be tested and deployed promptly, especially on devices that utilize USB Type-C power delivery. For embedded or specialized systems where kernel updates are not immediately feasible, organizations should consider disabling USB Power Delivery negotiation or restricting USB-C power roles to minimize exposure. Implementing hardware-level protections such as overcurrent and overvoltage protection circuits can provide an additional safety net against power negotiation errors. Monitoring USB-C port behavior and logging power negotiation events can help detect anomalies indicative of exploitation attempts or hardware issues. Organizations should also review their device inventories to identify Linux-based systems with USB-C ports and prioritize patching accordingly. Vendor coordination is essential to ensure firmware and driver updates align with kernel patches. Finally, educating IT and security teams about the risks associated with USB Power Delivery vulnerabilities can improve incident response readiness.