CVE-2023-53048: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-53048 is a vulnerability in the Linux kernel's USB Type-C Port Manager (TCPM) implementation, specifically affecting the handling of discover_identity messages in PD3. The vulnerability was discovered and published on May 02, 2025, affecting various Linux kernel versions and distributions including Red Hat Enterprise Linux 9, Ubuntu, and Debian systems (Wiz).

The vulnerability manifests in the USB Type-C Port Manager when handling discoveridentity messages. The issue occurs when both source and sink devices send discoveridentity messages in PD3, causing the kernel to generate warnings due to improper state handling in the tcpmqueuevdm function. The problem specifically arises in the state machine sequence when the vdmstate exceeds VDMSTATE_DONE. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability primarily affects system stability and logging functionality. It results in kernel warnings and potential state machine inconsistencies in the USB Type-C Port Manager. While the impact is mainly limited to system stability issues, it does not appear to have direct security implications beyond generating system warnings (Wiz).

The fix involves modifying the state machine to handle received discoveridentity messages first and override pending discoveridentity messages without triggering warnings. A delayed senddiscover work will then send discoveridentity messages again as needed. Patches have been released for various Linux distributions including Debian (versions 5.10.234-1, 6.1.135-1), Ubuntu (20.04, 22.04), and others (Debian Security).