Skip to main content

Linux Kernel CVE-2026-31509

| EUVDEUVD-2026-24889 MEDIUM
Improper Locking (CWE-667)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x33w-8476-hwm3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 15:07 vuln.today
CVSS changed
Apr 28, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 15:02 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24889
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: fix circular locking dependency in nci_close_device

nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too:

nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)

Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN.

NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.

AnalysisAI

Denial of service via deadlock in NFC NCI subsystem when nci_close_device() flushes work queues while holding req_lock, triggering a circular lock dependency with nci_rx_work(). The vulnerability affects Linux kernels across multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, 7.0) and was reproduced in roughly 4% of nci selftest runs on debug kernels, though EPSS scoring (0.02% percentile 7%) indicates low baseline exploitation probability. Local privilege requirement and high attack complexity in practice mean real-world impact is limited to NFC-capable systems with specific workload timing.

Technical ContextAI

The vulnerability exists in the Linux kernel's NFC (Near Field Communication) subsystem, specifically in the NCI (NFC Controller Interface) layer within nci_close_device(). The root cause (CWE-667: Improper Locking) stems from a circular lock dependency: nci_close_device() acquires req_lock (a mutex) and then flushes rx_wq and tx_wq work queues. However, nci_rx_work() running on rx_wq can trigger a call chain (nci_rx_data_packet → nci_data_exchange_complete → __sk_destruct → rawsock_destruct → nfc_deactivate_target → nci_deactivate_target → nci_request) that also attempts to acquire req_lock. This creates a deadlock scenario where the work queue flush cannot complete because the worker thread is blocked waiting for the same lock held by the flushing context. The fix relocates the rx_wq flush after req_lock is released, relying on the NCI_UP flag being cleared and transport closure to cause the work to exit early with -ENETDOWN.

RemediationAI

Apply vendor-released patches: Linux 5.10.253 or later, 5.15.203 or later, 6.1.168 or later, 6.6.131 or later, 6.12.80 or later, 6.18.21 or later, 6.19.11 or later, or 7.0 or later for the corresponding stable branch. Patches are available via git.kernel.org as referenced in upstream commits. For systems unable to patch immediately, disable or unload the NFC subsystem (modprobe -r nfc, nci) if NFC hardware is not in use; this eliminates the attack surface entirely without performance impact on non-NFC systems. Disable NFC at kernel compile time (CONFIG_NFC=n) for kernels built from source. Systems with NFC actively in use should prioritize patching over workarounds due to the fix's low complexity and high reliability gain. Monitor kernel.org stable updates for the respective branch and apply as part of regular security patching cycles.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy