CVE-2026-31729
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2026
Last modified:
07/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
usb: typec: ucsi: validate connector number in ucsi_notify_common()<br />
<br />
The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a<br />
7-bit field (0-127) that is used to index into the connector array in<br />
ucsi_connector_change(). However, the array is only allocated for the<br />
number of connectors reported by the device (typically 2-4 entries).<br />
<br />
A malicious or malfunctioning device could report an out-of-range<br />
connector number in the CCI, causing an out-of-bounds array access in<br />
ucsi_connector_change().<br />
<br />
Add a bounds check in ucsi_notify_common(), the central point where CCI<br />
is parsed after arriving from hardware, so that bogus connector numbers<br />
are rejected before they propagate further.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 6.12.81 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.22 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page