Kyle Tso

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to off-by-one errors in the Linux kernel's USB Type-C TCPM (TCPM - Type-C Port Manager) module, specifically in the `pd set` function. These errors occur because `nr snk pdo` and `nr src pdo` are incorrectly incremented by one. As a result, when doing power negotiation, TCPM relies on the incorrect size of the local sink PDO array (`nr snk pdo`) to match the Source capabilities of the partner port. This can lead to a wrong RDO being sent, causing unexpected power transfer, such as overvoltage or overcurrent. Similarly, `nr src pdo` is used to set the Rp level when the port is in Source role and to fill up the buffer with local Source capabilities for Power Negotiation. If an off-by-one overflow occurs, a wrong Rp level might be set, and wrong Source PDOs will be sent to the partner port, potentially causing overcurrent or port resets. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.