CVE-2026-46134 Linux CVE debrief

Who should care

Organizations running Linux kernels with Chrome OS Embedded Controller support, particularly on devices with Thunderbolt/USB4 Type-C ports. System administrators managing Chromebooks or other Chrome OS devices. Kernel maintainers and distributors packaging stable kernel updates.

Technical summary

The cros_ec_typec driver in the Linux kernel contains a bug where `cros_typec_register_thunderbolt()` allocates and registers Thunderbolt alternate mode data without initializing the `adata->lock` mutex. When `cros_typec_altmode_work()` later attempts to acquire this uninitialized mutex via `mutex_lock()`, it triggers a NULL pointer dereference. The fix adds `mutex_init(&adata->lock)` in the registration function before the data structure is used. This is a coding error class vulnerability with local attack vector, requiring an attacker to have local access to trigger the affected code path.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch from the Linux kernel stable tree
• Verify kernel version includes the fix commit (check for commits 23ae72e8c2f1, 3b13d5883a09, or 525cb7ba6661 in stable branches)
• For systems running affected Chrome OS devices with Thunderbolt support, prioritize kernel updates
• Monitor NVD for CVSS scoring once analysis is complete

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The fix is confirmed through three stable kernel commits referenced in the source data. No CVSS score has been assigned as of the CVE publication date (2026-05-28).

Official resources