CVE-2026-31729 - Vulnerability Details

- usb: typec: ucsi: validate connector number in ucsi_notify_common()

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: validate connector number in ucsi_notify_common()

The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a
7-bit field (0-127) that is used to index into the connector array in
ucsi_connector_change(). However, the array is only allocated for the
number of connectors reported by the device (typically 2-4 entries).

A malicious or malfunctioning device could report an out-of-range
connector number in the CCI, causing an out-of-bounds array access in
ucsi_connector_change().

Add a bounds check in ucsi_notify_common(), the central point where CCI
is parsed after arriving from hardware, so that bogus connector numbers
are rejected before they propagate further.

Published: 2026-05-01

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A faulty validator in the Linux kernel’s UCSI implementation allows a malicious or malfunctioning USB Type‑C device to report a connector number outside the valid range. The kernel interprets this 7‑bit value as an index into a small array that holds only the connectors reported by the device. Without a bounds check, an out‑of‑range value causes a kernel out‑of‑bounds array access, potentially crashing the system or hijacking kernel memory. The severity is that it enables a local attacker to destabilize or possibly compromise the kernel environment.

Affected Systems

The flaw affects all Linux kernel builds that contain the unpatched ucsi_notify_common() function. Versions prior to the commit that added the bounds check are vulnerable; exact affected subversions are not listed in the CVE data, so any distribution using a kernel older than that patch is at risk.

Risk and Exploitability

The CVSS score is 7.0 and the EPSS score is unavailable, making the precise exploitation probability unclear. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves a local USB Type‑C device that supplies an out‑of‑range connector number, which could result in kernel crashes or, depending on the memory state, privilege escalation. While no public exploit is known, the nature of an out‑of‑bounds kernel bug warrants prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bdc62f2bae8fb0e8e99574de5232f0a3c54a27df`	affected	< f6dcbf2b024d55549959402f1db6c614e51d52cb
`bdc62f2bae8fb0e8e99574de5232f0a3c54a27df`	affected	< f4e608fe12b7ac6a4a57176ab0296bb5a110a078
`bdc62f2bae8fb0e8e99574de5232f0a3c54a27df`	affected	< 98429e9ec89a5e3a204112dfaa2dbe6ca28493a0
`bdc62f2bae8fb0e8e99574de5232f0a3c54a27df`	affected	< d2d8c17ac01a1b1f638ea5d340a884ccc5015186

Linux

affected

Version	Status	Constraints
`5.5`	affected	—
`0`	unaffected	< 5.5
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bdc62f2bae8fb0e8e99574de5232f0a3c54a27df,f6dcbf2b024d55549959402f1db6c614e51d52cb)`	affected	code_commit	—
`[bdc62f2bae8fb0e8e99574de5232f0a3c54a27df,f4e608fe12b7ac6a4a57176ab0296bb5a110a078)`	affected	code_commit	—
`[bdc62f2bae8fb0e8e99574de5232f0a3c54a27df,98429e9ec89a5e3a204112dfaa2dbe6ca28493a0)`	affected	code_commit	—
`[bdc62f2bae8fb0e8e99574de5232f0a3c54a27df,d2d8c17ac01a1b1f638ea5d340a884ccc5015186)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.5`	affected	generic	—
`[0,5.5)`	unaffected	generic	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Linux kernel that includes the bounds‑check patch for ucsi_notify_common()
If immediate kernel upgrade is not possible, disable the UCSI subsystem or remove the module from the kernel configuration to eliminate the vulnerable code path
Configure hardware or firmware to block or restrict USB Type‑C devices that could supply malformed UCSI messages

Generated by OpenCVE AI on May 2, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0
https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186
https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078
https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb
https://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31729-6350@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31729
https://www.cve.org/CVERecord?id=CVE-2026-31729

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31729-6350@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31729 https://www.cve.org/CVERecord?id=CVE-2026-31729
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsi_notify_common() The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_change(). However, the array is only allocated for the number of connectors reported by the device (typically 2-4 entries). A malicious or malfunctioning device could report an out-of-range connector number in the CCI, causing an out-of-bounds array access in ucsi_connector_change(). Add a bounds check in ucsi_notify_common(), the central point where CCI is parsed after arriving from hardware, so that bogus connector numbers are rejected before they propagate further.
Title		usb: typec: ucsi: validate connector number in ucsi_notify_common()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0 https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186 https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078 https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:28.868Z

Updated: 2026-05-01T14:14:28.868Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31729

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.467

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31729

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31729 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-1285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object