CVE-2026-31729

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An out-of-bounds array access can occur in the ucsi connector change() function. This happens because the connector number extracted from the Command Completion Interface (CCI) via UCSI CCI CONNECTOR() is a 7-bit field (0-127), while the connector array is only allocated based on the number of connectors reported by the device. A malicious or malfunctioning device could provide an out-of-range connector number, leading to the memory access issue. To prevent this, a bounds check was added to the ucsi notify common() function, which serves as the central point for parsing CCI data from hardware.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.