{"id":"CVE-2026-31729","summary":"usb: typec: ucsi: validate connector number in ucsi_notify_common()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: validate connector number in ucsi_notify_common()\n\nThe connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a\n7-bit field (0-127) that is used to index into the connector array in\nucsi_connector_change(). However, the array is only allocated for the\nnumber of connectors reported by the device (typically 2-4 entries).\n\nA malicious or malfunctioning device could report an out-of-range\nconnector number in the CCI, causing an out-of-bounds array access in\nucsi_connector_change().\n\nAdd a bounds check in ucsi_notify_common(), the central point where CCI\nis parsed after arriving from hardware, so that bogus connector numbers\nare rejected before they propagate further.","modified":"2026-06-16T18:29:17.252377582Z","published":"2026-05-01T14:14:28.868Z","related":["SUSE-SU-2026:22048-1","SUSE-SU-2026:22076-1","SUSE-SU-2026:22087-1","openSUSE-SU-2026:20912-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31729.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31729.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31729"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bdc62f2bae8fb0e8e99574de5232f0a3c54a27df"},{"fixed":"f6dcbf2b024d55549959402f1db6c614e51d52cb"},{"fixed":"f4e608fe12b7ac6a4a57176ab0296bb5a110a078"},{"fixed":"98429e9ec89a5e3a204112dfaa2dbe6ca28493a0"},{"fixed":"d2d8c17ac01a1b1f638ea5d340a884ccc5015186"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31729.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31729.json"}}],"schema_version":"1.7.5"}