CVE-2026-31509 - Vulnerability Details

- nfc: nci: fix circular locking dependency in nci_close_device

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: fix circular locking dependency in nci_close_device

nci_close_device() flushes rx_wq and tx_wq while holding req_lock.
This causes a circular locking dependency because nci_rx_work()
running on rx_wq can end up taking req_lock too:

nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete
-> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target
-> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)

Move the flush of rx_wq after req_lock has been released.
This should safe (I think) because NCI_UP has already been cleared
and the transport is closed, so the work will see it and return
-ENETDOWN.

NIPA has been hitting this running the nci selftest with a debug
kernel on roughly 4% of the runs.

Published: 2026-04-22

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a circular locking dependency in the Linux kernel’s NFC NCI subsystem. While closing an NCI device, the code flushes both the rx and tx work queues while still holding the request lock. A worker triggered on the rx queue can simultaneously acquire the request lock, creating a deadlock scenario. An attacker or misbehaving NFC device could trigger this code path, resulting in the kernel hanging or timing out, effectively denying service to NFC operations.

Affected Systems

All publicly available Linux kernel builds that include the NFC NCI subsystem prior to the patched code contain this flaw. No specific versions are listed, but the CPE indicates that every Linux kernel is potentially affected. Users of distributions shipping default kernels should verify that their kernel includes the patch that moves the rx queue flush after the request lock is released.

Risk and Exploitability

The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting a modest but non-negligible exploitation probability. The attack vector is likely local or device‑based; a compromised NFC device or user with permissions to load NFC drivers could force the deadlock. Once triggered, the system may become unresponsive until rebooted. Given the critical nature of kernel deadlocks, the risk to availability is high and immediate mitigation is recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< 7ed00a3edc8597fe2333f524401e2889aa1b5edf
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< 5eef9ebec7f5738f12cadede3545c05b34bf5ac3
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< ca54e904a071aa65ef3ad46ba42d51aaac6b73b4
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< eb435d150ca74b4d40f77f1a2266f3636ed64a79
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< 1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< d89b74bf08f067b55c03d7f999ba0a0e73177eb3
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< 09143c0e8f3b03517e6233aad42f45c794d8df8e
`6a2968aaf50c7a22fced77a5e24aa636281efca8`	affected	< 4527025d440ce84bf56e75ce1df2e84cb8178616

Linux

affected

Version	Status	Constraints
`3.2`	affected	—
`0`	unaffected	< 3.2
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,7ed00a3edc8597fe2333f524401e2889aa1b5edf)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,5eef9ebec7f5738f12cadede3545c05b34bf5ac3)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,ca54e904a071aa65ef3ad46ba42d51aaac6b73b4)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,eb435d150ca74b4d40f77f1a2266f3636ed64a79)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,d89b74bf08f067b55c03d7f999ba0a0e73177eb3)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,09143c0e8f3b03517e6233aad42f45c794d8df8e)`	affected	code_commit	—
`[6a2968aaf50c7a22fced77a5e24aa636281efca8,4527025d440ce84bf56e75ce1df2e84cb8178616)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.2`	affected	generic	—
`[0,3.2)`	unaffected	generic	—
`[0,5.11.0)`	unaffected	semver	—
`[0,5.16.0)`	unaffected	semver	—
`[0,6.2.0)`	unaffected	semver	—
`[0,6.7.0)`	unaffected	semver	—
`[0,6.13.0)`	unaffected	semver	—
`[0,6.19.0)`	unaffected	semver	—
`[0,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that moves the rx_wq flush after the request lock release, as referenced in the kernel commit logs (see the provided Git URLs).
If a patched kernel is not immediately available, temporarily disable the NFC NCI module or prevent NFC device usage until the patch can be applied. This reduces the attack surface by removing the code path that can deadlock.
After applying the patch or disabling the module, run comprehensive NCI self‑tests to confirm that no deadlock occurs and that other NFC functionality remains intact.

Generated by OpenCVE AI on April 22, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e
https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289
https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616
https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3
https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf
https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4
https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3
https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79
https://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31509-8609@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31509
https://www.cve.org/CVERecord?id=CVE-2026-31509

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-833
References		https://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31509-8609@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31509 https://www.cve.org/CVERecord?id=CVE-2026-31509

Wed, 22 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.
Title		nfc: nci: fix circular locking dependency in nci_close_device
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289 https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616 https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3 https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4 https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3 https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:27.436Z

Updated: 2026-04-22T13:54:27.436Z

Reserved: 2026-03-09T15:48:24.106Z

Link: CVE-2026-31509

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:49.947

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31509

Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31509 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T18:45:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object