CVE-2026-31660
Description
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532_receive_buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer.
If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL-pointer dereference and buffer accounting issue in the Linux kernel's NFC pn533 driver can be triggered by failing memory allocation.
Vulnerability
Overview
CVE-2026-31660 is a flaw in the Linux kernel's NFC driver for the PN533 chipset. In the pn532_receive_buf() function, the driver reads incoming serial data into a receive socket buffer (recv_skb). When a complete frame is assembled, the callback hands it off to pn533_recv_frame() and then attempts to allocate a new socket buffer for subsequent data. If the alloc_skb() call fails (e.g., due to memory pressure), the function returns 0, indicating that no bytes were consumed. However, the bytes that were already processed into the handed-off frame are irrevocably consumed from the serial device's viewpoint, breaking the accounting contract with the serdev subsystem. Furthermore, recv_skb is set to NULL after the failed allocation, so the next call to skb_put_u8() causes a NULL-pointer dereference [1][2][3][4].
Exploitation
Prerequisites and Attack Surface
Exploitation requires an attacker to be able to affect memory allocation on a system running a vulnerable kernel while it communicates with a PN533-based NFC controller. This may be achieved by exhausting kernel memory through other means (e.g., local denial-of-service or specific workload conditions). No authentication is needed to trigger the vulnerable code path; any data received from the NFC device can reach the buggy function. Physical proximity or logical access to the NFC interface is required, but the attack vector is considered local because the driver runs in kernel space [1][2][3][4].
Impact
A successful trigger of the allocation failure leads to a NULL-pointer dereference, causing a kernel oops and likely a system crash (denial of service). In some configurations, this could potentially be used to escalate privileges if the dereference is exploitable further, though the primary documented impact is system instability due to the NULL-pointer fault. The vulnerability is rated medium severity (CVSS 5.5) because it requires local access and specific conditions [1][2][3][4].
Mitigation
Patches have been issued for the Linux kernel. The fix, applied to multiple stable branches, changes the allocation to be lazy: the new recv_skb is allocated before consuming the next byte, and if allocation fails, the function returns the number of bytes already accepted, preserving accounting integrity and avoiding a NULL pointer [1][2][3][4]. Users should update their kernel to the latest stable version containing the commit.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.5.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279nvdPatch
- git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11fnvdPatch
- git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2denvdPatch
- git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fbnvdPatch
- git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038nvdPatch
- git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28nvdPatch
- git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637nvdPatch
- git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352nvdPatch
News mentions
0No linked articles in our index yet.