CVE-2024-53149: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53149 is a vulnerability in the Linux kernel's USB Type-C UCSI (USB Type-C Connector System Software Interface) glink driver. The vulnerability was discovered and disclosed on December 24, 2024, affecting Linux kernel versions from 6.10 up to (excluding) 6.11.11 and from 6.12 up to (excluding) 6.12.2. The issue involves an off-by-one error in the connector_status function of the USB Type-C subsystem (NVD).

The vulnerability stems from an off-by-one error in the pmicglinkucsiconnectorstatus() callback function. UCSI connector indices start from 1 up to 3 (PMICGLINKMAX_PORTS), but the condition check in the code was incorrectly implemented. The issue affects the Type-C orientation reporting specifically for the third USB-C connector. The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with vector string CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects the USB Type-C orientation reporting functionality, specifically for the third USB-C connector. While the impact is limited to physical access scenarios, it could potentially lead to incorrect orientation reporting for USB Type-C connections (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that corrects the condition in the pmicglinkucsiconnectorstatus() callback. The fix has been implemented in various kernel versions and distributions. Ubuntu has released fixes for affected versions, including version 6.11.0-18.18 for Ubuntu 24.10 (Ubuntu).