Bug 2429612 (CVE-2025-71108)

Summary: CVE-2025-71108 kernel: usb: typec: ucsi: Handle incorrect num_connectors capability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A firmware compatibility issue was found in the Linux kernel's USB Type-C UCSI driver. The UCSI specification defines num_connectors as a 7-bit field with the 8th bit reserved. Some buggy firmware incorrectly sets this reserved bit, causing the driver to interpret an invalid connector count. This can prevent the system from booting properly when the UCSI driver is loaded.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-14 16:04:38 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: Handle incorrect num_connectors capability

The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.

Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Comment 1 Jon Moroney 2026-01-14 18:23:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011411-CVE-2025-71108-2969@gregkh/T