CVE-2026-31729

HIGH

usb: typec: ucsi: validate connector number in ucsi_notify_common()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsi_notify_common() The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_change(). However, the array is only allocated for the number of connectors reported by the device (typically 2-4 entries). A malicious or malfunctioning device could report an out-of-range connector number in the CCI, causing an out-of-bounds array access in ucsi_connector_change(). Add a bounds check in ucsi_notify_common(), the central point where CCI is parsed after arriving from hardware, so that bogus connector numbers are rejected before they propagate further.

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-129
Status published
Products (15)
linux/Kernel 5.5.0 - 6.12.81linux
linux/Kernel 6.13.0 - 6.18.22linux
linux/Kernel 6.19.0 - 6.19.12linux
Linux/Linux < 5.5
Linux/Linux 5.5
Linux/Linux 6.12.81 - 6.12.*
Linux/Linux 6.18.22 - 6.18.*
Linux/Linux 6.19.12 - 6.19.*
Linux/Linux 7.0
Linux/Linux bdc62f2bae8fb0e8e99574de5232f0a3c54a27df - 98429e9ec89a5e3a204112dfaa2dbe6ca28493a0
... and 5 more
Published May 01, 2026
Tracked Since May 01, 2026