Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Writing to the sysfs driver unbind interface requires CAP_SYS_ADMIN (root), warranting PR:H; no confidentiality or integrity impact, only kernel crash.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ps883x: Fix Oops at unbind
When trying to unbind a device in order to bind to it vfio-platform as:
echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind
I get the following Oops:
[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0
That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe.
AnalysisAI
NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Three concurrent conditions must hold: (1) the target system has ps883x USB Type-C retimer hardware physically installed and the ps883x kernel driver loaded and bound to it - systems without this hardware are entirely unaffected; (2) the attacker or process has sufficient privilege to write to the kernel sysfs driver unbind interface, which in standard Linux configurations requires CAP_SYS_ADMIN (root); and (3) the driver must currently be bound (i.e., probe completed without returning an error). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) scores 5.5 (Medium) and correctly captures the local-only attack surface and pure availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A system administrator or automated VFIO setup script executes 'echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind' on a system with a ps883x retimer, intending to pass the device through to a virtual machine. The kernel calls ps883x_retimer_remove(), which immediately dereferences NULL (the i2c client data never set during probe), generating an Oops at pc: ps883x_retimer_remove+0x14/0x94 and crashing the kernel. … |
| Remediation | Upgrade to a patched kernel release: Linux 7.1, 7.0.10, or 6.18.33, which incorporate the fix commits available at https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93, https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a, and https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo
The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone
Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve
The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav
A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow
A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab
Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39840
GHSA-w4pj-2vvj-f3vp