MEDIUM 5.5

CVE-2026-46134

A Linux kernel vulnerability in the Chrome OS Embedded Controller (cros_ec) Thunderbolt registration code fails to initialize a mutex lock, causing the system to crash when the uninitialized lock is later accessed. This affects devices that use the affected kernel code path during Thunderbolt device registration and mode switching. An unprivileged local user can trigger the crash by interacting with Thunderbolt/USB-C functionality, resulting in a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex. This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()). Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in platform/chrome/cros_ec_typec.c, where the cros_typec_register_thunderbolt() function omits mutex initialization for the adata->lock member. When cros_typec_altmode_work() or other code paths subsequently attempt to acquire this lock, a NULL pointer dereference occurs due to the uninitialized mutex. This manifests as a kernel panic or system hang. The flaw is classified as CWE-476 (NULL Pointer Dereference) and requires local access to trigger, as it depends on Thunderbolt device enumeration and mode-switching operations initiated by a user-level process.

Business impact

Affected devices can be rendered unstable or unavailable through repeated local denial-of-service attacks targeting USB-C/Thunderbolt functionality. This is particularly impactful for Chromebooks and Chrome-based systems where USB-C docking, external GPU attachment, or Thunderbolt peripheral connections are common workflows. Availability disruption during critical work sessions, combined with the potential for accidental triggering, makes this a notable operational risk in managed endpoints.

Affected systems

Linux kernel versions containing the vulnerable cros_ec_typec driver code are affected. This primarily impacts Chromebooks and Chrome OS-based devices with Thunderbolt or USB-C Type-C port controller firmware integration. Systems without the cros_ec platform/chrome driver (non-Chrome OS Linux distributions) are not affected. The specific affected kernel versions depend on the distribution's patching status; administrators should check their kernel version against vendor advisories.

Exploitability

Exploitability is straightforward for local users with standard privileges. No authentication or special capabilities are required—simply connecting a Thunderbolt device or triggering USB-C mode negotiation can invoke the vulnerable code path. The low activation barrier (AC:L) and absence of user interaction requirements (UI:N) mean that exposure is moderate in multi-user or shared-device scenarios. No known public exploits are documented, and exploitation requires local access, reducing the attack surface compared to network-based vulnerabilities.

Remediation

Apply kernel updates from your Linux distribution that include the fix to cros_typec_register_thunderbolt(). The fix involves adding mutex_init(&adata->lock) at the appropriate point during Thunderbolt device registration. Verify the patch commit or release notes to confirm the mutex initialization has been added. For Chromebook users, enable automatic updates or manually install the latest Chrome OS version. Organizations should prioritize systems with frequent Thunderbolt device connections or docking scenarios.

Patch guidance

Obtain and install the latest kernel from your distribution's security repository. For Chromebook and Chrome OS devices, apply the latest Chrome OS release through Settings > About Chrome OS > Check for updates. For downstream Linux distributions, check your vendor's security advisory page and kernel changelog to verify that the cros_ec_typec mutex initialization fix is included. Verify the patched kernel version before and after updates using 'uname -r'. If using a custom or minimally-maintained kernel, manually apply the upstream fix or rebase to a newer stable kernel version that includes the patch.

Detection guidance

Monitor system logs (dmesg, journalctl) for NULL pointer dereference panics or kernel warnings mentioning cros_typec or cros_ec_altmode operations. Watch for repeated kernel crashes or hangs coinciding with USB-C/Thunderbolt device insertion or mode changes. In endpoint detection and response (EDR) tools, flag processes that repeatedly trigger cros_ec ioctl calls or sysfs writes to typec-related attributes without corresponding successful device binding. Kernel-level tracing (ftrace, kprobes) can log calls to cros_typec_altmode_work() to correlate with system instability.

Why prioritize this

This vulnerability warrants prioritization for systems with active Thunderbolt/USB-C usage, particularly shared or multi-user Chromebooks in enterprise environments. While the CVSS score of 5.5 (MEDIUM) reflects the local-only attack vector and availability-only impact, the trivial trigger mechanism and high likelihood of accidental invocation during normal device usage justifies elevated priority. Additionally, the lack of complex exploitation requirements means that any local user, including low-privileged accounts or guests, can cause disruption.

Risk score, explained

The CVSS v3.1 score of 5.5 (MEDIUM) reflects: local attack vector (AV:L) due to the requirement for local access; low attack complexity (AC:L) as no special conditions must be met; low privileges required (PR:L) for any local user; no user interaction needed (UI:N); impact limited to availability (A:H) with no effect on confidentiality or integrity (C:N, I:N). The score appropriately captures the disruption potential balanced against the access constraints. For organizations with heavy Chromebook deployments or high-touch USB-C usage, the practical risk may exceed the numerical score due to operational impact.

Frequently asked questions

Will this crash affect my data or allow an attacker to steal information?

No. The vulnerability causes only a denial of service (system crash or hang). It does not expose, modify, or corrupt data. There is no path to confidentiality or integrity compromise through this flaw.

Do I need to worry about this if I only use Chromebooks with standard charging cables?

Your risk is lower but not eliminated. The vulnerability is triggered specifically when Thunderbolt or USB-C alternate mode negotiation occurs. If you never connect Thunderbolt devices or use docking stations with mode switching, your exposure is minimal. However, standard USB-C power delivery negotiation could theoretically invoke the code path depending on the device's firmware version.

How do I know if my Chromebook is patched?

Check Settings > About Chrome OS and note the version number. Then consult your device manufacturer's security update page or Chrome OS release notes for the specific vulnerability fix date. Alternatively, power users can inspect the kernel version using crosh (Ctrl+Alt+T) and cross-reference the commit hash against Linux kernel upstream records.

Is there a workaround if I cannot update immediately?

Avoid connecting Thunderbolt devices or USB-C docks that require alternate mode negotiation until the patch is applied. This mitigates the trigger. However, this is not a robust long-term mitigation—patching remains the definitive fix and should be scheduled promptly.

This analysis is based on the published CVE record and upstream kernel documentation. Severity and impact may vary depending on your specific kernel version, distribution, and hardware configuration. Always verify patch applicability against your vendor's official security advisories before deployment. SEC.co does not guarantee the completeness or accuracy of vendor advisories; consult primary sources for definitive patching timelines. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date. Use this guide as one input in your risk assessment; do not treat it as the sole basis for security decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities