CVE-2026-43032
Description
In the Linux kernel, the following vulnerability has been resolved:
NFC: pn533: bound the UART receive buffer
pn532_receive_buf() appends every incoming byte to dev->recv_skb and only resets the buffer after pn532_uart_rx_is_frame() recognizes a complete frame. A continuous stream of bytes without a valid PN532 frame header therefore keeps growing the skb until skb_put_u8() hits the tail limit.
Drop the accumulated partial frame once the fixed receive buffer is full so malformed UART traffic cannot grow the skb past PN532_UART_SKB_BUFF_LEN.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's NFC pn533 UART driver, a missing receive-buffer boundary check lets a malformed byte stream grow the skb indefinitely, leading to a denial-of-service from skb_put_u8() tail limit hit.
Vulnerability
The Linux kernel's NFC driver for PN533 devices, in the UART transport function pn532_receive_buf(), appends every incoming byte to a socket buffer (dev->recv_skb) without resetting until a complete PN532 frame is recognized by pn532_uart_rx_is_frame(). If an attacker sends a continuous stream of bytes that never forms a valid frame header, the skb grows unboundedly until skb_put_u8() hits the tail limit, causing a denial-of-service.[1]
Exploitation
Exploitation requires physical or logical access to send UART traffic to a system with the vulnerable driver. No authentication is needed beyond the ability to communicate over the UART bus (e.g., via a plugged-in NFC device or a compromised peripheral). The attack is purely data-driven: a malformed byte stream without valid PN532 frame headers is sufficient to trigger the unbounded growth.
Impact
An attacker can cause the kernel to exhaust the socket buffer's allocated tail space, leading to a system crash or hang. The highest threat is to availability; the vulnerability does not enable code execution or privilege escalation. The CVSS v3 score is 5.5 (Medium), reflecting the denial-of-service impact with a low attack complexity.
Mitigation
The fix is committed in the Linux stable kernel tree ([1], [2], [3], [4]). It enforces a limit check: once the partial accumulated frame reaches PN532_UART_SKB_BUFF_LEN, the buffer is dropped, preventing unbounded growth. System administrators should apply the corresponding stable kernel update as soon as possible.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.5,<5.10.253
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/23e925183db26cd322597679669ad29d70ed2adanvdPatch
- git.kernel.org/stable/c/2c1fadd221b21d8038acfe6a0f56291881d5ff76nvdPatch
- git.kernel.org/stable/c/30fe3f5f6494f827d812ff179f295a8e532709d6nvdPatch
- git.kernel.org/stable/c/3adca9be14bf36b927193f05f5aea35a1a90e913nvdPatch
- git.kernel.org/stable/c/8bedf1dd5640ac8997bff00bbefe241b438df397nvdPatch
- git.kernel.org/stable/c/ad2f60de5045bfb5d20ea468a97c8760c6a3a4f8nvdPatch
- git.kernel.org/stable/c/cf2ff10183204349edfd6b972e189375fc5f1fb0nvdPatch
- git.kernel.org/stable/c/f48ab6ee654ecc350434e4566bc785773f412b7envdPatch
News mentions
0No linked articles in our index yet.