CVE-2026-31729
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: validate connector number in ucsi_notify_common()
The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_change(). However, the array is only allocated for the number of connectors reported by the device (typically 2-4 entries).
A malicious or malfunctioning device could report an out-of-range connector number in the CCI, causing an out-of-bounds array access in ucsi_connector_change().
Add a bounds check in ucsi_notify_common(), the central point where CCI is parsed after arriving from hardware, so that bogus connector numbers are rejected before they propagate further.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in the Linux kernel's UCSI driver allows a malicious USB-C device to trigger an out-of-bounds array access via a crafted connector number.
Root
Cause
The vulnerability resides in the Linux kernel's USB Type-C UCSI (USB Type-C Connector System Software Interface) driver. The ucsi_notify_common() function parses the Connector Change Indicator (CCI) from hardware and extracts a connector number using the UCSI_CCI_CONNECTOR() macro. This 7-bit field (0–127) is then used to index into the connector array in ucsi_connector_change(). However, the array is allocated only for the number of connectors reported by the device (typically 2–4 entries). No validation is performed on the connector number before the array access, leading to an out-of-bounds read/write when a malicious or malfunctioning device supplies an out-of-range value [1].
Exploitation
An attacker with physical access to a USB-C port can connect a specially crafted USB-C device or a malicious USB-C controller that reports a bogus connector number in the CCI. No authentication is required; the attack is triggered automatically when the kernel processes the notification from the device. The vulnerability is reachable from the ucsi_notify_common() function, which is the central point where CCI data is parsed after arriving from hardware [2].
Impact
Successful exploitation results in an out-of-bounds array access in ucsi_connector_change(). This can corrupt kernel memory, potentially leading to a system crash (denial of service) or, under the right conditions, arbitrary code execution with kernel privileges. The CVSS v3 score of 7.8 (High) reflects the high impact on confidentiality, integrity, and availability, given the local physical attack vector and low complexity [3].
Mitigation
The fix adds a bounds check in ucsi_notify_common() to reject connector numbers that exceed the number of connectors reported by the connectors reported by the device. The patch has been applied to the Linux kernel stable tree and is available in commits such as f4e608fe12b7 and d2d8c17ac01a [4]. Users should update their kernel to a version containing the fix. No workaround is available; the vulnerability is eliminated only by applying the patch.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8(expand)+ 7 more
- (no CPE)
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.5,<6.12.81
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026