New 'CableSplit' Vulnerability Enables Cross-Device Session Leakage Via Shared USB-C Cables

Security researchers warn that colleagues sharing a single USB-C charging cable between laptops at corporate events could inadvertently expose authentication tokens, browser sessions, and device fingerprints through residual PD controller state.

A team of researchers at the Zurich Institute for Hardware Exploitation (ZIHE) have disclosed a new class of vulnerability affecting USB Power Delivery 3.1 negotiations between Apple Silicon MacBooks that share a common charging cable.

Dubbed "CableSplit" (formally tracked as CVE-2026-4913), the flaw exploits a previously undocumented timing condition in the USB-C PD handshake that occurs when a cable is disconnected from one device and connected to another within what researchers describe as the "thermal trust window" — a 47-second period during which the cable retains residual electrical state from the previous host.

CVE-2026-4913 — "CableSplit"

Severity: Critical �� 9.1

Vector: Physical / Cable Sharing

Affected: USB-C PD 3.1 cables shared between two or more macOS devices

Preconditions: Sequential physical access to shared cable; two or more macOS hosts; PD 3.1 negotiation within thermal trust window

How the attack works

According to the ZIHE paper, the vulnerability arises specifically in environments where two or more individuals share a single USB-C cable — a scenario the researchers describe as "far more common than any reasonable person would expect."

During the PD negotiation phase, the cable's E-Marker chip briefly stores device identification metadata from its last connected host. If a second device connects before the chip's volatile registers are flushed, a race condition in Apple's ACE3 USB-C controller allows the incoming device to read fragments of the previous session state.

"The attack surface is surprisingly broad. Our initial assumption was that cable sharing would be an edge case, but field observations at three separate industry conferences showed that single-cable sharing between colleagues was occurring at a rate we hadn't anticipated. The preconditions for exploitation are, unfortunately, trivially met."
— Dr. Katrin Huber, Lead Researcher, ZIHE

Researchers found that the vulnerability was most easily reproduced under what they termed "conference conditions" �� high-density environments where cable sharing between colleages is more likely due to limited access to power outlets and a tendency to pack insufficiently for multi-day events. The paper notes that the risk is "significantly elevated during annual sales kickoffs, partner summits, and similar corporate gatherings where device density per available outlet is highest."

Scope of data exposure

The ZIHE team demonstrated that the following data could be extracted from the residual cable state during a successful CableSplit attack:

Partial Keychain authentication tokens (macOS 14.x and 15.x)
Recent clipboard contents, including any passwords copied from a "Passwords" note in the Notes app
Active media session metadata, including currently playing audio source and track information
Fragments of unsent iMessage drafts

Industry response

Apple has acknowledged the report and stated that a fix will be included in a future macOS update. In the interim, the company recommends that users "maintain exclusive use of their own charging accessories" and avoid sharing cables in untrusted environments.

USB-IF, the standards body responsible for USB specifications, released a statement noting that the PD 3.1 specification "does not currently mandate volatile register flushing on disconnect events" and that an amendment is under review. The organisation added that users should treat USB-C cables as "personal-use accessories in the same category as authentication hardware."

"The risk equation here is straightforward. The cost of a replacement cable is negligible relative to the potential data exposure. What our modelling shows is that organisations with a culture of accessory sharing at events have a measurably higher attack surface. The mitigation is not a technical control — it's a behavioural one."
— Prof. Gary Thornton, Applied Threat Economics, Imperial College London

Recommended Mitigations

Hardware isolation: Organisations should ensure employees carry individually assigned USB-C cables, particularly when travelling to multi-day events. ZIHE recommends treating charging cables with the same access hygiene as authentication tokens.
Temporal buffer: If cable sharing cannot be avoided, a minimum 60-second idle period should be observed between device connections to allow the E-Marker volatile registers to fully flush.
Procurement guidance: The ZIHE paper notes that USB-C PD 3.1 compliant cables are widely available at price points below £8, and recommends that IT teams include spare cables in conference travel kits as a low-cost countermeasure.
Awareness training: Employees should be discouraged from soliciting cable loans via group messaging channels, as this broadcasts device vulnerability status to a wide audience and may assist in targeted social engineering.

UPDATE 12:46 GMT: Several security professionals have contacted DarkTrace Wire since publication to report observing CableSplit-susceptible cable sharing arrangements at upcoming industry events. One respondent described a scenario in which a single cable was being pre-arranged for shared use between two colleagues for the duration of a week-long sales kickoff. ZIHE has updated its advisory to note that "prolonged shared-cable arrangements represent a persistent, not transient, attack window."

Timeline