Skip to main content

Linux Kernel CVE-2026-53305

| EUVDEUVD-2026-39840 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-26 Linux GHSA-w4pj-2vvj-f3vp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Writing to the sysfs driver unbind interface requires CAP_SYS_ADMIN (root), warranting PR:H; no confidentiality or integrity impact, only kernel crash.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:59 vuln.today
CVSS changed
Jul 06, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:41 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:41 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ps883x: Fix Oops at unbind

When trying to unbind a device in order to bind to it vfio-platform as:

echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind

I get the following Oops:

[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0

That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe.

AnalysisAI

NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local root or CAP_SYS_ADMIN
Delivery
Identify bound ps883x retimer device node
Exploit
Write device name to sysfs unbind interface
Execution
Kernel invokes ps883x_retimer_remove()
Persist
Dereference NULL i2c client data pointer
Impact
Kernel Oops causes system crash (DoS)

Vulnerability AssessmentAI

Exploitation Three concurrent conditions must hold: (1) the target system has ps883x USB Type-C retimer hardware physically installed and the ps883x kernel driver loaded and bound to it - systems without this hardware are entirely unaffected; (2) the attacker or process has sufficient privilege to write to the kernel sysfs driver unbind interface, which in standard Linux configurations requires CAP_SYS_ADMIN (root); and (3) the driver must currently be bound (i.e., probe completed without returning an error). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) scores 5.5 (Medium) and correctly captures the local-only attack surface and pure availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A system administrator or automated VFIO setup script executes 'echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind' on a system with a ps883x retimer, intending to pass the device through to a virtual machine. The kernel calls ps883x_retimer_remove(), which immediately dereferences NULL (the i2c client data never set during probe), generating an Oops at pc: ps883x_retimer_remove+0x14/0x94 and crashing the kernel. …
Remediation Upgrade to a patched kernel release: Linux 7.1, 7.0.10, or 6.18.33, which incorporate the fix commits available at https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93, https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a, and https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Lenovo

View all
CVE-2012-1195 HIGH POC
7.5 Feb 18

Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup

CVE-2012-1196 MEDIUM POC
5.0 Feb 18

Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen

CVE-2015-2219 HIGH POC
7.2 May 12

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo

CVE-2018-14066 CRITICAL POC
9.8 Jul 15

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone

CVE-2026-58583 HIGH POC
8.4 Jul 07

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve

CVE-2017-7293 HIGH POC
7.8 Apr 26

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to

CVE-2015-6971 HIGH POC
7.8 Oct 03

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the

CVE-2015-8110 HIGH POC
7.8 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav

CVE-2021-3633 HIGH POC
7.8 Aug 17

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow

CVE-2022-0354 HIGH POC
7.3 Apr 22

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab

CVE-2015-8109 HIGH POC
7.0 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak

CVE-2017-3761 CRITICAL
9.8 Oct 17

The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i

Share

CVE-2026-53305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy