CVE-2026-31729

/* * Conceptual PoC for CVE-2026-31729 * This C code simulates the vulnerable logic in the Linux Kernel UCSI driver. * It demonstrates how a malicious connector number leads to an Out-of-Bounds access. */ #include <stdio.h> #include <stdlib.h> #define MAX_REAL_CONNECTORS 2 // Typical hardware allocation #define UCSI_MAX_CONNECTORS 127 // Max 7-bit value struct connector { int status; }; // Simulated vulnerable function void ucsi_connector_change_vulnerable(int connector_num, struct connector *con_array) { printf("[+] Accessing connector index: %d\n", connector_num); // VULNERABILITY: No bounds check before array access // If connector_num > MAX_REAL_CONNECTORS, this is OOB int status = con_array[connector_num].status; printf("[+] Connector status: %d\n", status); } int main() { // Allocate memory based on actual hardware (e.g., 2 connectors) struct connector *connectors = malloc(sizeof(struct connector) * MAX_REAL_CONNECTORS); // Initialize for(int i=0; i<MAX_REAL_CONNECTORS; i++) connectors[i].status = i; printf("--- Triggering Vulnerable Code ---\n"); // Attack vector: Malicious device sends connector number 100 int malicious_cci = 100; if (malicious_cci >= MAX_REAL_CONNECTORS) { printf("[!] Attempting Out-of-Bounds access!\n"); } // This will crash or read garbage/memory dump ucsi_connector_change_vulnerable(malicious_cci, connectors); free(connectors); return 0; }

{"cve": {"id": "CVE-2026-31729", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:35.467", "lastModified": "2026-05-07T16:02:57.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: validate connector number in ucsi_notify_common()\n\nThe connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a\n7-bit field (0-127) that is used to index into the connector array in\nucsi_connector_change(). However, the array is only allocated for the\nnumber of connectors reported by the device (typically 2-4 entries).\n\nA malicious or malfunctioning device could report an out-of-range\nconnector number in the CCI, causing an out-of-bounds array access in\nucsi_connector_change().\n\nAdd a bounds check in ucsi_notify_common(), the central point where CCI\nis parsed after arriving from hardware, so that bogus connector numbers\nare rejected before they propagate further."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.81", "matchCriteriaId": "D1C17227-02C7-4A55-A9E6-1F88A48429E5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/98429e9ec89a5e3a204112dfaa2dbe6ca28493a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d2d8c17ac01a1b1f638ea5d340a884ccc5015186", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f4e608fe12b7ac6a4a57176ab0296bb5a110a078", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f6dcbf2b024d55549959402f1db6c614e51d52cb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}