CVE-2024-26995
📋 TL;DR
This CVE-2024-26995 is an off-by-one vulnerability in the Linux kernel's USB Type-C Power Delivery (PD) subsystem that can cause incorrect power negotiation between devices. When exploited, it may lead to over-voltage or over-current conditions, potentially damaging connected hardware. Any system running an affected Linux kernel version with USB Type-C PD functionality is vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Physical damage to USB Type-C devices, ports, or connected hardware due to incorrect power delivery causing over-voltage or over-current conditions.
Likely Case
Unexpected device behavior, port resets, or power delivery failures during USB Type-C power negotiation.
If Mitigated
No impact if proper power protection circuits exist in hardware or if USB Type-C PD functionality is disabled.
🎯 Exploit Status
Exploitation requires physical USB Type-C connection to vulnerable system. No authentication needed once physical access/connection established.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees (commits c4128304c2169b4664ed6fb6200f228cead2ab70 and f3da3192cdd3fefe213390e976eec424a8e270b5)
Vendor Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from distribution repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable USB Type-C Power Delivery
linuxDisable USB Type-C PD functionality to prevent exploitation (if not required for system operation).
echo 'blacklist typec' > /etc/modprobe.d/disable-typec.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Restrict physical access to USB Type-C ports using physical security measures.
- Use only trusted USB Type-C devices and cables from verified manufacturers.
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with distribution security advisories. Check if USB Type-C modules are loaded: lsmod | grep -i typecCheck Version:
uname -rVerify Fix Applied:
Verify kernel version after update matches patched version from distribution. Check that USB Type-C functionality still works properly with test devices.📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing USB Type-C PD errors, power negotiation failures, or unexpected port resets
- System logs showing hardware protection triggers or power delivery issues
Network Indicators:
- Not applicable - local hardware vulnerability
SIEM Query:
Not applicable for network detection - monitor system/kernel logs for USB Type-C PD errors🔗 References
- https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70
- https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5
- https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70
- https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/
