CVE-2025-71108: Linux Kernel UCSI DOS Vulnerability

CVE-2025-71108 Overview

CVE-2025-71108 is a vulnerability in the Linux kernel's USB Type-C UCSI (USB Type-C Connector System Interface) subsystem. The issue arises from improper handling of the num_connectors capability field, where buggy firmware sets a reserved bit that should be zero according to the UCSI specification. This can lead to systems failing to boot properly when the kernel attempts to process the malformed capability data.

Critical Impact

Systems with affected firmware may fail to boot due to incorrect parsing of USB Type-C connector configuration data, resulting in denial of service conditions during system initialization.

Affected Products

• Linux kernel (USB Type-C UCSI subsystem)
• Lenovo P1 G8 (confirmed during Linux enablement program)
• Systems with buggy USB Type-C firmware that incorrectly sets the reserved bit in num_connectors

Discovery Timeline

• January 14, 2026 - CVE-2025-71108 published to NVD
• January 19, 2026 - Last updated in NVD database

Technical Details for CVE-2025-71108

Vulnerability Analysis

The vulnerability exists in the USB Type-C Connector System Interface (UCSI) driver within the Linux kernel. According to the UCSI specification, the num_connectors field is defined as a 7-bit value, with the 8th bit reserved and required to be set to zero. However, certain firmware implementations incorrectly set this reserved bit to 1, which causes the kernel to misinterpret the number of connectors present on the system.

When the kernel reads an incorrect num_connectors value due to the set reserved bit, it can lead to unexpected behavior during USB Type-C subsystem initialization. In severe cases, this prevents the system from completing the boot process, effectively rendering the device unusable until the firmware is corrected or the kernel is patched.

This issue was discovered on the Lenovo P1 G8 during a Linux enablement program, indicating that even enterprise-grade hardware can ship with non-compliant firmware implementations.

Root Cause

The root cause is a firmware compliance issue combined with insufficient input validation in the kernel's UCSI driver. The firmware violates the UCSI specification by setting the reserved 8th bit of the num_connectors capability field. The kernel driver did not previously validate or sanitize this field, trusting the firmware to adhere to the specification. This combination of non-compliant firmware and missing defensive coding in the kernel allows the invalid value to propagate and cause system instability.

Attack Vector

This vulnerability primarily manifests as a denial of service condition during system boot. While not directly exploitable by remote attackers, it represents a significant reliability issue:

The vulnerability is triggered automatically during system initialization when the USB Type-C UCSI driver reads the capability data from the firmware. Systems with affected firmware will experience boot failures without any user interaction. The fix implemented in the kernel detects this firmware misbehavior, logs a warning about the non-compliant firmware, and automatically corrects the value by masking out the reserved bit, allowing the system to boot normally.

Detection Methods for CVE-2025-71108

Indicators of Compromise

• System boot failures occurring during USB Type-C subsystem initialization
• Kernel log messages indicating unusual or unexpected num_connectors values in UCSI capability data
• Boot hangs specifically related to typec_ucsi driver loading

Detection Strategies

• Monitor kernel logs during boot for UCSI-related error messages or warnings about firmware capability data
• Review dmesg output for any flags indicating firmware misbehavior in USB Type-C connector enumeration
• Check for boot failures on systems with USB Type-C ports, particularly on Lenovo P1 G8 or similar enterprise workstations

Monitoring Recommendations

• Implement system health monitoring that captures early boot failures and kernel initialization issues
• Track firmware versions across fleet systems and correlate with known affected firmware revisions
• Enable verbose kernel logging for USB Type-C subsystem during troubleshooting sessions

How to Mitigate CVE-2025-71108

Immediate Actions Required

• Update the Linux kernel to a patched version that includes the defensive fix for num_connectors handling
• Contact hardware vendors to inquire about firmware updates that correct the reserved bit violation
• For affected Lenovo P1 G8 systems, check for BIOS/firmware updates that address this issue

Patch Information

The Linux kernel development team has released patches that address this vulnerability by implementing defensive handling of the num_connectors capability field. The fix detects when firmware incorrectly sets the reserved bit, logs a warning to alert administrators, and automatically corrects the value to allow normal system operation.

Multiple kernel patches have been committed to address this issue:

• Kernel Patch Update
• Kernel Commit Changes
• Kernel Bug Fix
• Kernel Security Improvement

Workarounds

• If kernel updates are not immediately available, consider blacklisting the typec_ucsi module if USB Type-C functionality is not required
• Request firmware updates from the hardware vendor to correct the specification violation at the source
• For critical systems, test kernel updates in a staging environment before deploying to production to verify boot stability