Description
In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: properly drop the usb interface reference on disconnect

When the device is disconnected from the driver, there is a "dangling"
reference count on the usb interface that was grabbed in the probe
callback. Fix this up by properly dropping the reference after we are
done with it.
Published: 2026-03-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash due to dangling USB interface reference)
Action: Update Kernel
AI Analysis

Impact

The vulnerability involves a dangling reference count on the USB interface used by the NFC PN533 driver in the Linux kernel. When the device is disconnected, the driver fails to release the reference that was taken during probe, leaving a stray count. Based on the description, such an unresolved reference can lead the kernel to operate on freed or invalid memory, potentially causing a kernel crash and resulting in a denial‑of‑service.

Affected Systems

All versions of the Linux kernel that contain the pn533 NFC driver before the patch are potentially affected. No precise kernel release is listed, so any deployment that includes the original probe implementation is at risk.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. The flaw requires local access to a system with the NFC device; the attacker would need to physically or virtually disconnect the device to trigger the failing reference count. The likely attack vector is local device disconnection, making external exploitation unlikely. The potential impact if exploited is a kernel crash that could render the system unusable until reboot.

Generated by OpenCVE AI on March 26, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the patched pn533 driver.
  • If an immediate kernel update is unavailable, disable or unload the pn533 driver until a patch is applied.
  • Verify that the device no longer causes kernel crashes after the update or disablement.

Generated by OpenCVE AI on March 26, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-772

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
CWE-772

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe callback. Fix this up by properly dropping the reference after we are done with it.
Title nfc: pn533: properly drop the usb interface reference on disconnect
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:42.173Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:24.197

Modified: 2026-04-18T09:16:17.077

Link: CVE-2026-23291

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23291 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:14Z

Weaknesses