CVE-2023-53048: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53048 is a vulnerability in the Linux kernel's USB Type-C Port Manager (TCPM) implementation, specifically affecting the handling of discover_identity messages in PD3. The vulnerability was discovered and published on May 02, 2025, affecting various Linux kernel versions and distributions including Red Hat Enterprise Linux 9, Ubuntu, and Debian systems (Wiz).

The vulnerability manifests in the USB Type-C Port Manager when handling discover_identity messages. The issue occurs when both source and sink devices send discover_identity messages in PD3, causing the kernel to generate warnings due to improper state handling in the tcpm_queue_vdm function. The problem specifically arises in the state machine sequence when the vdm_state exceeds VDM_STATE_DONE. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability primarily affects system stability and logging functionality. It results in kernel warnings and potential state machine inconsistencies in the USB Type-C Port Manager. While the impact is mainly limited to system stability issues, it does not appear to have direct security implications beyond generating system warnings (Wiz).

The fix involves modifying the state machine to handle received discover_identity messages first and override pending discover_identity messages without triggering warnings. A delayed send_discover work will then send discover_identity messages again as needed. Patches have been released for various Linux distributions including Debian (versions 5.10.234-1, 6.1.135-1), Ubuntu (20.04, 22.04), and others (Debian Security).