In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential out of bounds in ucsiccgupdatesetnewcamcmd() The "*cmd" variable can be controlled by the user via debugfs. That means "newcam" can be as high as 255 while the size of the uc->updated[] array is UCSIMAXALTMODES (30). The call tree is: ucsicmd() // val comes from simpleattrwritexsigned() -> ucsisendcommand() -> ucsisendcommandcommon() -> ucsiruncommand() // calls ucsi->ops->synccontrol() -> ucsiccgsynccontrol()