{"api_version":"1","generated_at":"2026-06-27T02:41:26+00:00","cve":"CVE-2026-53305","urls":{"html":"https://cve.report/CVE-2026-53305","api":"https://cve.report/api/cve/CVE-2026-53305.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53305","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53305"},"summary":{"title":"usb: typec: ps883x: Fix Oops at unbind","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ps883x: Fix Oops at unbind\n\nWhen trying to unbind a device in order to bind to it vfio-platform as:\n\n  echo bc0000.geniqup  > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind\n\nI get the following Oops:\n\n[  436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[  436.487762] Mem abort info:\n[  436.490716]   ESR = 0x0000000096000004\n[  436.494595]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  436.500071]   SET = 0, FnV = 0\n[  436.503250]   EA = 0, S1PTW = 0\n[  436.506505]   FSC = 0x04: level 0 translation fault\n[  436.511533] Data abort info:\n[  436.514558]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  436.520215]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  436.525436]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000\n[  436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n[  436.544548] Internal error: Oops: 0000000096000004 [#1]  SMP\n[  436.550374] Modules linked in:\n[  436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G        W           7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT\n[  436.564440] Tainted: [W]=WARN\n[  436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025\n[  436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[  436.581841] pc : ps883x_retimer_remove+0x14/0x94\n[  436.586605] lr : i2c_device_remove+0x28/0x84\n[  436.591017] sp : ffff8000847137c0\n\nThat's because the ps883x_retimer_remove() retrieves the driver data\nfrom i2c_get_clientdata() which was never set at probe. So, add\ni2c_set_clientdata() at the end of the probe.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-26 20:17:23","updated_at":"2026-06-26 20:17:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff","name":"https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93","name":"https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a","name":"https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53305","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53305","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 257a087c8b5206e046048de6053fc8b3fa1af814 37a3d1b6827783f26d2f8e6c7683e253ba79ae93 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 257a087c8b5206e046048de6053fc8b3fa1af814 c404d0ac0cb085cb7077ba32c334cc4042feb81a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 257a087c8b5206e046048de6053fc8b3fa1af814 381133848a033c2086cf9cafb226f425bd0414ff git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/usb/typec/mux/ps883x.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"37a3d1b6827783f26d2f8e6c7683e253ba79ae93","status":"affected","version":"257a087c8b5206e046048de6053fc8b3fa1af814","versionType":"git"},{"lessThan":"c404d0ac0cb085cb7077ba32c334cc4042feb81a","status":"affected","version":"257a087c8b5206e046048de6053fc8b3fa1af814","versionType":"git"},{"lessThan":"381133848a033c2086cf9cafb226f425bd0414ff","status":"affected","version":"257a087c8b5206e046048de6053fc8b3fa1af814","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/usb/typec/mux/ps883x.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.15"},{"lessThan":"6.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ps883x: Fix Oops at unbind\n\nWhen trying to unbind a device in order to bind to it vfio-platform as:\n\n  echo bc0000.geniqup  > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind\n\nI get the following Oops:\n\n[  436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[  436.487762] Mem abort info:\n[  436.490716]   ESR = 0x0000000096000004\n[  436.494595]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  436.500071]   SET = 0, FnV = 0\n[  436.503250]   EA = 0, S1PTW = 0\n[  436.506505]   FSC = 0x04: level 0 translation fault\n[  436.511533] Data abort info:\n[  436.514558]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  436.520215]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  436.525436]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000\n[  436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n[  436.544548] Internal error: Oops: 0000000096000004 [#1]  SMP\n[  436.550374] Modules linked in:\n[  436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G        W           7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT\n[  436.564440] Tainted: [W]=WARN\n[  436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025\n[  436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[  436.581841] pc : ps883x_retimer_remove+0x14/0x94\n[  436.586605] lr : i2c_device_remove+0x28/0x84\n[  436.591017] sp : ffff8000847137c0\n\nThat's because the ps883x_retimer_remove() retrieves the driver data\nfrom i2c_get_clientdata() which was never set at probe. So, add\ni2c_set_clientdata() at the end of the probe."}],"providerMetadata":{"dateUpdated":"2026-06-26T19:41:00.712Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93"},{"url":"https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a"},{"url":"https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff"}],"title":"usb: typec: ps883x: Fix Oops at unbind","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53305","datePublished":"2026-06-26T19:41:00.712Z","dateReserved":"2026-06-09T07:44:35.397Z","dateUpdated":"2026-06-26T19:41:00.712Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-26 20:17:23","lastModifiedDate":"2026-06-26 20:17:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53305","Ordinal":"1","Title":"usb: typec: ps883x: Fix Oops at unbind","CVE":"CVE-2026-53305","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53305","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ps883x: Fix Oops at unbind\n\nWhen trying to unbind a device in order to bind to it vfio-platform as:\n\n  echo bc0000.geniqup  > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind\n\nI get the following Oops:\n\n[  436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[  436.487762] Mem abort info:\n[  436.490716]   ESR = 0x0000000096000004\n[  436.494595]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  436.500071]   SET = 0, FnV = 0\n[  436.503250]   EA = 0, S1PTW = 0\n[  436.506505]   FSC = 0x04: level 0 translation fault\n[  436.511533] Data abort info:\n[  436.514558]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[  436.520215]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  436.525436]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000\n[  436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n[  436.544548] Internal error: Oops: 0000000096000004 [#1]  SMP\n[  436.550374] Modules linked in:\n[  436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G        W           7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT\n[  436.564440] Tainted: [W]=WARN\n[  436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025\n[  436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[  436.581841] pc : ps883x_retimer_remove+0x14/0x94\n[  436.586605] lr : i2c_device_remove+0x28/0x84\n[  436.591017] sp : ffff8000847137c0\n\nThat's because the ps883x_retimer_remove() retrieves the driver data\nfrom i2c_get_clientdata() which was never set at probe. So, add\ni2c_set_clientdata() at the end of the probe.","Type":"Description","Title":"usb: typec: ps883x: Fix Oops at unbind"}]}}}