CVE-2023-54299

Vulnerability

In the Linux kernel, the USB Type-C bus driver function typec_altmode_attention does not verify whether a device's altmode partner still exists before dereferencing it. A race condition exists: some USB hubs negotiate DisplayPort Alt mode with the device, then perform a data role swap that causes the device to unregister all alt modes; however the hub may continue sending Attention messages even after failing to re‑register the Alt Mode. This leads to a NULL pointer dereference when the kernel tries to access the typec_altmode and typec_altmode_ops of the now‑absent partner [1][2][3].

Exploitation

An attacker with physical access to the USB port (or a malicious USB device) can trigger this bug a victim machine by triggering a data role swap after DisplayPort Alt mode is entered. No special authentication is required beyond the ability to engage in USB‑C protocol negotiation. The affected code path is reachable during normal operation when an uncooperative hub sends Attention messages [1].

Impact

Successful exploitation causes a kernel NULL pointer dereference, leading to a system crash (denial of service). No privilege escalation is described; the impact is limited to availability loss.

Mitigation

The fix adds a check for the partner's existence before sending the Attention message to the Alt Mode driver [1][2][3]. Patched versions are available in the stable kernel tree. Users should update to a kernel containing commit f23643306430 or equivalents.