Skip to main content

Linux Kernel NFC CVE-2026-31622

| EUVDEUVD-2026-25515 HIGH
Classic Buffer Overflow (CWE-120)
2026-04-24 Linux GHSA-3r85-565g-4jhq
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 14:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 14:14 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:36 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25515
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows).

ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round.

Fix this by rejecting the response when the accumulated UID would exceed the buffer.

Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.

AnalysisAI

Heap buffer overflow in Linux kernel NFC-A digital target driver allows adjacent-network attackers to corrupt memory and potentially execute code. A malicious NFC peer device can trigger unbounded cascade loops during anti-collision protocol, writing beyond the 10-byte nfcid1 buffer with each iteration. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation, but the adjacent attack vector (AV:A) limits exposure to proximity-based attacks. Vendor patches available across multiple stable kernel branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's NFC digital layer (net/nfc/digital_technology.c), specifically in the digital_in_recv_sdd_res() function handling ISO 14443-3 Type A anti-collision protocol. During Single Device Detection (SDD), the cascade mechanism appends 3-4 bytes of UID data to the nfc_target structure's nfcid1 field per round. ISO 14443-3 specifies a maximum of three cascade levels (10 bytes total: 3+3+4 or 4+3+3), matching NFC_NFCID1_MAXSIZE=10. However, the driver lacks validation of cascade depth, trusting the peer device's cascade tag (CT byte 0x88) and SEL_RES incomplete bit to control loop termination. A rogue NFC tag can force additional cascade rounds beyond the three-level limit, causing heap overflow. This mirrors CVE-2024-23120 (e329e71013c9) which fixed similar missing bounds checks in the NCI (NFC Controller Interface) code path. The vulnerability affects the digital protocol implementation used by various NFC controllers including PN533, TRF7970A, and ST95HF when operating in reader/writer mode with Type A tags.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83+ for 6.12.x series, 6.18.24+ for 6.18.x series, 6.19.14+ for 6.19.x series, or 7.0.1+ for 7.x series. Mainline users should ensure commit 46ce8be2ced3 or later is present. Patch references: https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb (6.12), https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba (6.18), https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1 (6.19), https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc (7.0). For systems unable to patch immediately, disable NFC functionality via 'rfkill block nfc' or unload NFC kernel modules (nfc_digital, pn533_usb, etc.) if not operationally required-this eliminates attack surface but renders NFC hardware non-functional. Alternatively, restrict NFC reader operation to trusted tag sources only in controlled environments, though this is difficult to enforce technically. No configuration-based workaround exists to limit cascade depth without code changes. Disabling NFC has no side effects for non-NFC workflows but breaks payment, pairing, and access control features dependent on NFC.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy