CVE-2026-43098
Description
In the Linux kernel, the following vulnerability has been resolved:
nfc: s3fwrn5: allocate rx skb before consuming bytes
s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer.
If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's NFC s3fwrn5 driver, a missing receive buffer allocation after consuming bytes can cause a NULL pointer dereference and break receive accounting.
Vulnerability
In the Linux kernel's NFC s3fwrn5 driver, the s3fwrn82_uart_read() function in nfc/s3fwrn5/uart.c mishandles receive buffer allocation. It consumes bytes into the current recv_skb and may deliver a complete frame before allocating a fresh buffer. If alloc_skb() fails, the function returns 0 despite having consumed bytes, violating the serdev receive buffer accounting contract and leaving recv_skb as NULL. This leads to a NULL pointer dereference on the next skb_put_u8() call.
Exploitation
The vulnerability can be triggered by an NFC device that sends data while memory pressure causes alloc_skb() to fail. No special privileges are required beyond the ability to interact with the NFC driver, which may be accessible to local users via NFC interfaces or to an attacker in close proximity if the device is configured to accept NFC communication.
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). The bug also corrupts the receive buffer accounting, potentially leading to further instability.
Mitigation
The fix, introduced in kernel commit 09822d3d6f68 [1], allocates the receive skb lazily before consuming the next byte, ensuring the buffer is always available. The fix has been backported to multiple stable kernel releases via commits [2], [3], and [4]. Users should update to the latest stable kernel to remediate this issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9nvdPatch
- git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632nvdPatch
- git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71nvdPatch
- git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4nvdPatch
- git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156nvdPatch
News mentions
0No linked articles in our index yet.