Description
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ps883x: Fix Oops at unbind
When trying to unbind a device in order to bind to it vfio-platform as:
echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind
I get the following Oops:
[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
[ 436.487762] Mem abort info:
[ 436.490716] ESR = 0x0000000096000004
[ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits
[ 436.500071] SET = 0, FnV = 0
[ 436.503250] EA = 0, S1PTW = 0
[ 436.506505] FSC = 0x04: level 0 translation fault
[ 436.511533] Data abort info:
[ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000
[ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
[ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP
[ 436.550374] Modules linked in:
[ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT
[ 436.564440] Tainted: [W]=WARN
[ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025
[ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 436.581841] pc : ps883x_retimer_remove+0x14/0x94
[ 436.586605] lr : i2c_device_remove+0x28/0x84
[ 436.591017] sp : ffff8000847137c0
That's because the ps883x_retimer_remove() retrieves the driver data
from i2c_get_clientdata() which was never set at probe. So, add
i2c_set_clientdata() at the end of the probe.
usb: typec: ps883x: Fix Oops at unbind
When trying to unbind a device in order to bind to it vfio-platform as:
echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind
I get the following Oops:
[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
[ 436.487762] Mem abort info:
[ 436.490716] ESR = 0x0000000096000004
[ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits
[ 436.500071] SET = 0, FnV = 0
[ 436.503250] EA = 0, S1PTW = 0
[ 436.506505] FSC = 0x04: level 0 translation fault
[ 436.511533] Data abort info:
[ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000
[ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
[ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP
[ 436.550374] Modules linked in:
[ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT
[ 436.564440] Tainted: [W]=WARN
[ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025
[ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 436.581841] pc : ps883x_retimer_remove+0x14/0x94
[ 436.586605] lr : i2c_device_remove+0x28/0x84
[ 436.591017] sp : ffff8000847137c0
That's because the ps883x_retimer_remove() retrieves the driver data
from i2c_get_clientdata() which was never set at probe. So, add
i2c_set_clientdata() at the end of the probe.
Published:
2026-06-26
Score:
n/a
EPSS:
< 1% Very Low
KEV:
No
Impact:
n/a
Action:
n/a
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux | unaffected |
|
||||||||||||||||||
| Linux | Linux | affected |
|
No data.
No data.
| Vendor | Product | Confidence | Versions | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux Kernel | 99% |
|
||||||||||||||||||||||||
| Linux | Linux Kernel | 99% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 26 Jun 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-476 |
Fri, 26 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ps883x: Fix Oops at unbind When trying to unbind a device in order to bind to it vfio-platform as: echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind I get the following Oops: [ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0 That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe. | |
| Title | usb: typec: ps883x: Fix Oops at unbind | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-26T19:41:00.712Z
Reserved: 2026-06-09T07:44:35.397Z
Link: CVE-2026-53305
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-27T05:15:03Z
Weaknesses