Skip to main content

Linux Kernel NFC CVE-2026-31629

| EUVDEUVD-2026-25522 HIGH
Improper Locking (CWE-667)
2026-04-24 Linux GHSA-cfpg-q83x-6923
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:36 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:37 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25522
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfc: llcp: add missing return after LLCP_CLOSED checks

In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free.

Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.

AnalysisAI

Use-after-free in Linux kernel NFC LLCP implementation allows adjacent-network attackers to execute arbitrary code with kernel privileges. The flaw occurs when socket state is LLCP_CLOSED in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), where missing return statements cause double release_sock() and refcount underflow, leading to memory corruption. Vendor-released patches available for stable kernels 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's NFC (Near Field Communication) subsystem, specifically the LLCP (Logical Link Control Protocol) implementation used for peer-to-peer NFC communications. The affected code paths handle HDLC (High-Level Data Link Control) frames and disconnect messages in the NFC LLCP stack. The bug is a classic control flow error where two functions (nfc_llcp_recv_hdlc and nfc_llcp_recv_disc) check if a socket is in LLCP_CLOSED state and correctly perform cleanup operations (release_sock() and nfc_llcp_sock_put()), but then fall through to execute the same cleanup operations again at the function's normal exit path. The release_sock() function releases a socket lock, and calling it twice on the same lock corrupts lock state. The nfc_llcp_sock_put() function decrements a reference counter; calling it twice causes an underflow, making the counter wrap around or become negative. When the reference count reaches zero prematurely, the kernel frees the socket structure while code still holds pointers to it, creating a use-after-free condition. An attacker who can trigger these code paths with a socket in LLCP_CLOSED state can potentially exploit the freed memory for arbitrary code execution at kernel privilege level. The vulnerability has existed since the initial LLCP implementation (commit 1da177e4c3f4 from Linux 2.6.12-rc2 in 2005), affecting nearly two decades of kernel versions.

RemediationAI

Update to patched Linux kernel versions: 6.12.83, 6.18.24, 6.19.14, or 7.0.1 and later in respective stable branches. Upstream fixes are available in kernel.org git stable tree at commits 796e0cac058252d0ad34ebe288e6f7979b5fc9b2, 8977fad2b3c6eefd414131168d597c5d1d5e1abf, ff3d9e8f7244293e303f7b6ef70774291c7c27e9, and aba4712e8f0381cd5d196534ce2ad082626a5ab6. Distribution-specific advisories should be consulted for backported patches in enterprise kernels. If immediate patching is not feasible and NFC functionality is not required, disable the NFC subsystem entirely by blacklisting kernel modules (modprobe blacklist nfc, nfc_digital, nfc_llcp) or unloading them if already loaded (rmmod nfc_llcp nfc). This eliminates the vulnerable code path but renders all NFC functionality unavailable, which is acceptable for servers and workstations but breaks NFC-dependent workflows on mobile devices and payment terminals. For systems requiring NFC, restrict adjacent network access through network segmentation and ensure only trusted devices can communicate on the same network segment as NFC-enabled systems. Monitor for abnormal NFC traffic patterns or kernel warnings related to socket refcount errors. Note that disabling NFC modules may require kernel rebuild if compiled as built-in (=y) rather than module (=m). Enterprise environments should prioritize patching mobile device fleets and specialized NFC infrastructure (payment terminals, access control systems) over general server infrastructure where NFC is typically absent.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy