CVE-2024-46691: usb: typec: ucsi: Move unregister out of atomic section
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Move unregister out of atomic section
Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-lock
non-sleeping")' moved the pmic_glink client list under a spinlock, as it
is accessed by the rpmsg/glink callback, which in turn is invoked from
IRQ context.
This means that ucsi_unregister() is now called from atomic context,
which isn't feasible as it's expecting a sleepable context. An effort is
under way to get GLINK to invoke its callbacks in a sleepable context,
but until then lets schedule the unregistration.
A side effect of this is that ucsi_unregister() can now happen
after the remote processor, and thereby the communication link with it, is
gone. pmic_glink_send() is amended with a check to avoid the resulting NULL
pointer dereference.
This does however result in the user being informed about this error by
the following entry in the kernel log:
ucsi_glink.pmic_glink_ucsi pmic_glink.ucsi.0: failed to send UCSI write request: -5
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel flaw in USB Type-C handling on systems using the Qualcomm PMIC GLINK UCSI path. The source describes incorrect cleanup timing after a lock change, which can trigger unsafe kernel behavior. Public severity, CVSS, and exploitation evidence were not provided.
Executive priority
Track and patch through normal kernel maintenance, with higher priority for fleets using Qualcomm-based Linux devices. Current public evidence does not support emergency response, but incomplete severity data limits confidence.
Technical view
The issue comes from calling ucsi_unregister() from atomic context after pmic_glink client locking moved under a spinlock. The fix schedules unregistration into a sleepable context and adds a pmic_glink_send() link check to avoid a NULL pointer dereference after the remote processor is gone.
Likely exposure
Exposure appears limited to Linux kernels and hardware paths using Qualcomm PMIC GLINK with UCSI USB Type-C support. The bundle lists Linux kernel versions and commits, but exact distribution package mappings require vendor confirmation.
Exploitation context
The source bundle does not identify active exploitation, proof-of-concept activity, or remote attack conditions. KEV status is false. Treat this as a kernel reliability and safety issue until vendor advisories clarify severity and practical impact.
Researcher notes
The most relevant evidence is the upstream fix rationale: sleepable ucsi_unregister() was reached from atomic context, and delayed unregister created a potential NULL dereference path. More impact assessment requires affected hardware and downstream kernel analysis.
Mitigation direction
Update to a vendor kernel containing the referenced stable fixes.
Prioritize systems using Qualcomm PMIC GLINK and UCSI USB Type-C support.
Check Linux distribution advisories for exact fixed package versions.
Do not rely on upstream version strings alone for downstream kernels.
Monitor kernel logs for recurring UCSI GLINK send failures.
Validation and detection
Inventory Linux kernel versions across affected device classes.
Map installed kernels to vendor guidance for CVE-2024-46691.
Confirm the kernel includes the referenced stable patch commits.
Identify whether devices use Qualcomm PMIC GLINK UCSI support.
Review logs for ucsi_glink failed UCSI write request messages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46691 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.