Skip to main content

Linux Kernel CVE-2026-43098

| EUVDEUVD-2026-27607 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 21:45 vuln.today
CVSS changed
May 14, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfc: s3fwrn5: allocate rx skb before consuming bytes

s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer.

If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.

AnalysisAI

Denial of service via NULL pointer dereference in the NFC s3fwrn5 driver's UART receive handler allows local authenticated attackers to crash the system. The vulnerability exists in s3fwrn82_uart_read() which consumes bytes from the serial device before allocating a fresh receive buffer; if memory allocation fails after bytes are already consumed, the function incorrectly reports success while leaving the receive buffer NULL, causing a NULL dereference on the next skb_put_u8() call. This affects Linux kernel versions 5.11 and later, with patches available for stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.

Technical ContextAI

The s3fwrn5 NFC (Near Field Communication) driver handles UART serial device communication on Linux systems. The vulnerability resides in the s3fwrn82_uart_read() callback function, which is part of the serdev (serial device) framework that manages byte-oriented serial communication. The function receives data via the serial port and builds frames in a socket buffer (skb). The root cause is an incorrect order of operations: the current implementation consumes bytes from the receive stream and potentially delivers complete frames before allocating a new receive buffer (alloc_skb()). If this allocation fails, the callback violates the receive_buf() accounting contract by returning 0 (indicating no bytes consumed) even though bytes have already been consumed from the stream, and leaves recv_skb as NULL. Subsequent calls to skb_put_u8() on the NULL pointer cause a kernel crash. The fix reallocates the receive skb lazily before consuming the next byte, ensuring that if allocation fails, already-accepted bytes are properly reported and the buffer state remains consistent.

RemediationAI

Apply the latest patched kernel version for your stable branch: upgrade to 6.6.136, 6.12.83, 6.18.24, 6.19.14, or 7.0 or later. The fix is available in upstream Linux and all active stable kernel branches via git.kernel.org (see references). For systems unable to immediately patch, disable NFC driver functionality via kernel boot parameters (modprobe blacklist nfc_s3fwrn5) if NFC hardware is not required, eliminating the attack surface entirely without side effects. Alternatively, restrict local system access to trusted users only and monitor for unexpected memory allocation failures in kernel logs (dmesg) related to NFC operations. Full patch details are available at https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156 and related commits.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy