CVE-2025-40043
Description
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: nci: Add parameter validation for packet data
Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").
This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of skb_buff->data which is not assigned anything yet.
Following the same silent drop of packets of invalid sizes at nic_valid_size(), add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in nci_nft_packet and effectively do a silent drop
Possible TODO: because we silently drop the packets, the call to nci_request will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export nci_request_cancel (or propagate error handling from the nft packets handlers).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An insufficient input validation in NCI packet size checks in the Linux kernel NFC subsystem can cause the processing of uninitialized memory, leading to a potential information leak.
In the Linux kernel's NFC (Near Field Communication) subsystem, the nci_init_req function is vulnerable to a bug involving uninitialized data, as reported by syzbot. The root cause is the limited input validation performed by nci_valid_size(). This function only validates the socket buffer length (skb->len) against the length provided in the packet header itself, but fails to ensure that the payload data for specific opcodes is actually present and properly initialized. As a result, the kernel may access memory at skb->data that has not been assigned any content, leading to the processing of uninitialized values.
Exploitation
An attacker can trigger this vulnerability by sending a crafted NCI packet from userspace via the NFC Netlink interface. The exploit requires the ability to create a raw NFC socket and send data that passes the minimal length checks but contains an opcode requiring additional payload that is not supplied. No authentication is required beyond local access to the NFC device node (typically requiring CAP_NET_ADMIN or physical presence). The attack is performed locally and does not require any special network position.
Impact
A successful exploit can cause the kernel to process uninitialized memory, potentially leaking sensitive kernel heap data to an attacker. The leaked data may contain information useful for further exploitation, such as memory addresses or other secrets. The vulnerability does not directly lead to code execution, but information disclosure can weaken other kernel defenses.
Mitigation
The fix is included in the Linux kernel stable commit 9c328f54741bd and 74837bca0748 [1][2]. These patches add proper validation of packet data in the respective handlers and return error values on failure, releasing the socket buffer to ensure silent packet drops. Users should apply the updated kernel as soon as possible. No workaround is available, as the issue is in core NFC protocol handling.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
68fcc7315a10abfdda0123dde0ba68bea1e3574837bca0748c395d1e548cc9c328f54741bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/0ba68bea1e356f466ad29449938bea12f5f3711fnvd
- git.kernel.org/stable/c/74837bca0748763a77f77db47a0bdbe63b347628nvd
- git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983fnvd
- git.kernel.org/stable/c/9c328f54741bd5465ca1dc717c84c04242fac2e1nvd
- git.kernel.org/stable/c/bfdda0123dde406dbff62e7e9136037e97998a15nvd
- git.kernel.org/stable/c/c395d1e548cc68e84584ffa2e3ca9796a78bf7b9nvd
News mentions
0No linked articles in our index yet.