Skip to main content

Linux Kernel EUVDEUVD-2026-26542

| CVE-2026-31729 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:16 vuln.today
CVSS changed
May 07, 2026 - 16:07 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26542
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: validate connector number in ucsi_notify_common()

The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_change(). However, the array is only allocated for the number of connectors reported by the device (typically 2-4 entries).

A malicious or malfunctioning device could report an out-of-range connector number in the CCI, causing an out-of-bounds array access in ucsi_connector_change().

Add a bounds check in ucsi_notify_common(), the central point where CCI is parsed after arriving from hardware, so that bogus connector numbers are rejected before they propagate further.

AnalysisAI

Out-of-bounds array access in Linux kernel UCSI (USB Type-C Connector System Software Interface) driver allows local authenticated attackers to achieve arbitrary code execution or system crash. A malicious USB-C device or compromised firmware can send a crafted CCI (Connector Change Indicator) message with an invalid connector number (0-127) that exceeds the allocated connector array bounds (typically 2-4 entries), triggering memory corruption in ucsi_connector_change(). Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC currently identified.

Technical ContextAI

This vulnerability affects the USB Type-C Connector System Software Interface (UCSI) subsystem in the Linux kernel, specifically the driver code at drivers/usb/typec/ucsi/. UCSI is the standard interface between system firmware and OS drivers for managing USB Type-C ports and Power Delivery functionality. The CCI (Connector Change Indicator) is a hardware-generated message containing a 7-bit connector number field extracted via the UCSI_CCI_CONNECTOR() macro. The vulnerability is classified as CWE-129 (Improper Validation of Array Index), where untrusted input from hardware is used directly as an array index without bounds validation. The connector array in struct ucsi is dynamically allocated based on the device-reported connector count during initialization, creating a classic index-out-of-bounds scenario when hardware provides malformed data. Affected CPE identifiers indicate impact across multiple Linux kernel versions starting from 5.5 where UCSI support was introduced, with the vulnerable code path present from commit bdc62f2bae8fb0e8e99574de5232f0a3c54a27df forward until patched.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.81 or later for 6.12.x series, 6.18.22 or later for 6.18.x series, 6.19.12 or later for 6.19.x series, or mainline 7.0 or later. Patch commits available at https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb (mainline), https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078, https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0, and https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186 for backports. The fix adds a simple bounds check (if connector_num >= ucsi->cap.num_connectors) in ucsi_notify_common() before indexing the connector array. If immediate patching is not feasible, consider these compensating controls with trade-offs: (1) Blacklist the ucsi_acpi kernel module via modprobe configuration to prevent UCSI driver loading, which disables USB Type-C functionality including DisplayPort Alt Mode, Power Delivery negotiation, and USB-C port management - acceptable only if USB-C features are not business-critical; (2) Implement USB device whitelisting via USBGuard or similar tools to block unauthorized USB-C device connections, reducing malicious hardware attack surface but requiring ongoing policy maintenance and potentially impacting user productivity; (3) Disable Thunderbolt/USB4 in BIOS/UEFI if not required, as these protocols share the USB-C physical layer and may exercise the vulnerable code path, though this does not protect against malicious firmware scenarios. Note that compensating controls do not address firmware-based attack vectors where compromised BMC or system firmware could inject malicious CCI messages directly.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy