LiveActive security incident?Get immediate response
CVE Record

CVE-2024-46691: usb: typec: ucsi: Move unregister out of atomic section

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock non-sleeping")' moved the pmic_glink client list under a spinlock, as it is accessed by the rpmsg/glink callback, which in turn is invoked from IRQ context. This means that ucsi_unregister() is now called from atomic context, which isn't feasible as it's expecting a sleepable context. An effort is under way to get GLINK to invoke its callbacks in a sleepable context, but until then lets schedule the unregistration. A side effect of this is that ucsi_unregister() can now happen after the remote processor, and thereby the communication link with it, is gone. pmic_glink_send() is amended with a check to avoid the resulting NULL pointer dereference. This does however result in the user being informed about this error by the following entry in the kernel log: ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel flaw in USB Type-C handling on systems using the Qualcomm PMIC GLINK UCSI path. The source describes incorrect cleanup timing after a lock change, which can trigger unsafe kernel behavior. Public severity, CVSS, and exploitation evidence were not provided.

Executive priority

Track and patch through normal kernel maintenance, with higher priority for fleets using Qualcomm-based Linux devices. Current public evidence does not support emergency response, but incomplete severity data limits confidence.

Technical view

The issue comes from calling ucsi_unregister() from atomic context after pmic_glink client locking moved under a spinlock. The fix schedules unregistration into a sleepable context and adds a pmic_glink_send() link check to avoid a NULL pointer dereference after the remote processor is gone.

Likely exposure

Exposure appears limited to Linux kernels and hardware paths using Qualcomm PMIC GLINK with UCSI USB Type-C support. The bundle lists Linux kernel versions and commits, but exact distribution package mappings require vendor confirmation.

Exploitation context

The source bundle does not identify active exploitation, proof-of-concept activity, or remote attack conditions. KEV status is false. Treat this as a kernel reliability and safety issue until vendor advisories clarify severity and practical impact.

Researcher notes

The most relevant evidence is the upstream fix rationale: sleepable ucsi_unregister() was reached from atomic context, and delayed unregister created a potential NULL dereference path. More impact assessment requires affected hardware and downstream kernel analysis.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable fixes.
  • Prioritize systems using Qualcomm PMIC GLINK and UCSI USB Type-C support.
  • Check Linux distribution advisories for exact fixed package versions.
  • Do not rely on upstream version strings alone for downstream kernels.
  • Monitor kernel logs for recurring UCSI GLINK send failures.

Validation and detection

  • Inventory Linux kernel versions across affected device classes.
  • Map installed kernels to vendor guidance for CVE-2024-46691.
  • Confirm the kernel includes the referenced stable patch commits.
  • Identify whether devices use Qualcomm PMIC GLINK UCSI support.
  • Review logs for ucsi_glink failed UCSI write request messages.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-46691 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxfbadcde1572f6b00e1e343d8b24ec8bf7f3ec08d, 9329933699b32d467a99befa20415c4b2172389a, 9329933699b32d467a99befa20415c4b2172389a, 8d62ab7d89a4906385ea8c11a4b2475578bec0f0, bd54d7c8e76d235b4a70be3a545eb13f5ac531e4, 6.6.33, 6.8.12, 6.9.3unaffected
LinuxLinux6.10, 0, 6.6.130, 6.10.8, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.