CVE-2026-46134
Description
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
cros_typec_register_thunderbolt() missed initializing the adata->lock mutex. This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).
Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing mutex initialization in Linux kernel's cros_ec_typec driver leads to NULL dereference on Thunderbolt altmode operations.
Vulnerability
In the Linux kernel, the cros_ec_typec driver's cros_typec_register_thunderbolt() function fails to initialize the adata->lock mutex. This affects kernel versions prior to the commit that fixes the issue [1]. The code path is reachable when Thunderbolt alternate mode is registered and later accessed via cros_typec_altmode_work().
Exploitation
An attacker requires the ability to trigger the code path that acquires the uninitialized mutex. This can be done by interacting with the Thunderbolt alternate mode, such as plugging a Thunderbolt device or initiating a mode switch. No special privileges beyond normal user access are needed, but physical or local access to the device may be required.
Impact
A successful exploit results in a NULL pointer dereference, causing a kernel panic and denial of service (DoS). No privilege escalation or data corruption is indicated.
Mitigation
The issue is fixed in commit [1] (patch available in the Linux kernel stable tree). Users should apply this patch or update to a kernel version that includes it. No workarounds are documented.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
623ae72e8c2f1platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
3b13d5883a09platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
525cb7ba6661platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
525cb7ba6661platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
3b13d5883a09platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
23ae72e8c2f1platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
2 files changed · +2 −2
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
drivers/platform/chrome/cros_typec_altmode.c+1 −1 modifieddiff --git a/drivers/platform/chrome/cros_typec_altmode.c b/drivers/platform/chrome/cros_typec_altmode.c index 557340b53af03b..66c546bf89b532 100644 --- a/drivers/platform/chrome/cros_typec_altmode.c +++ b/drivers/platform/chrome/cros_typec_altmode.c @@ -359,6 +359,7 @@ cros_typec_register_thunderbolt(struct cros_typec_port *port, } INIT_WORK(&adata->work, cros_typec_altmode_work); + mutex_init(&adata->lock); adata->alt = alt; adata->port = port; adata->ap_mode_entry = true; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing `mutex_init()` call in `cros_typec_register_thunderbolt()` leaves the `adata->lock` mutex uninitialized, causing a NULL dereference when the mutex is later acquired."
Attack vector
An attacker with physical access to a Chromebook's USB-C port can plug a Thunderbolt device, triggering the kernel to call `cros_typec_register_thunderbolt()`. This function allocates an `adata` structure but fails to initialize the `adata->lock` mutex. When the workqueue handler `cros_typec_altmode_work()` later runs and attempts to acquire the uninitialized mutex, a NULL-pointer dereference occurs, causing a kernel crash (denial of service). No special authentication or network access is required; the precondition is simply that the system has the Chrome OS EC Type-C driver loaded and a Thunderbolt alt-mode device is connected.
Affected code
The bug is in the function `cros_typec_register_thunderbolt()` in `drivers/platform/chrome/cros_typec_altmode.c` [patch_id=2898407]. The function initializes a work item via `INIT_WORK(&adata->work, cros_typec_altmode_work)` but omits the corresponding `mutex_init(&adata->lock)` call, leaving the `adata->lock` mutex uninitialized.
What the fix does
The patch adds a single line — `mutex_init(&adata->lock);` — immediately after `INIT_WORK(&adata->work, cros_typec_altmode_work);` inside `cros_typec_register_thunderbolt()` [patch_id=2898407]. This ensures the mutex is properly initialized before any code path (such as `cros_typec_altmode_work()`) can attempt to lock it. Without this initialization, the mutex's internal state is undefined, leading to the NULL dereference described in the commit message.
Preconditions
- configThe system must have the Chrome OS EC Type-C driver (cros_ec_typec) loaded and a Thunderbolt alt-mode capable USB-C port.
- inputAn attacker must connect a Thunderbolt device (or otherwise trigger Thunderbolt alt-mode registration) to the affected USB-C port.
- authNo authentication or network access is required; physical proximity to the USB-C port suffices.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.