Description
In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: fix circular locking dependency in nci_close_device

nci_close_device() flushes rx_wq and tx_wq while holding req_lock.
This causes a circular locking dependency because nci_rx_work()
running on rx_wq can end up taking req_lock too:

nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete
-> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target
-> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)

Move the flush of rx_wq after req_lock has been released.
This should safe (I think) because NCI_UP has already been cleared
and the transport is closed, so the work will see it and return
-ENETDOWN.

NIPA has been hitting this running the nci selftest with a debug
kernel on roughly 4% of the runs.
Published: 2026-04-22
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via deadlock
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a circular locking dependency in the Linux kernel’s NFC NCI subsystem. While closing an NCI device, the code flushes both the rx and tx work queues while still holding the request lock, allowing a worker on the rx queue to acquire the same lock and cause a deadlock. This misuse of the kernel’s dispatch services also falls under CWE-833, because the subsystem attempts to perform work and lock operations in an improper order, leading to the same deadlock. The flaw also matches CWE-667, which describes deadlocks caused by incorrect lock ordering.

Affected Systems

All publicly available Linux kernel builds that include the NFC NCI subsystem prior to the patched code contain this flaw. No specific versions are listed, but the CPE indicates that every Linux kernel is potentially affected. Users of distributions shipping default kernels should verify that their kernel includes the patch that moves the rx queue flush after the request lock is released.

Risk and Exploitability

The EPSS score is < 1% (specifically 0.00032) and the flaw is not listed in the CISA KEV catalog, indicating a very low exploitation probability. The CVSS score of 5.5 indicates a medium severity centered on availability. The attack vector is likely local or device-based; a compromised NFC device or user with permissions to load NFC drivers could force the deadlock. Once triggered, the system may become unresponsive until rebooted. Given the critical nature of kernel deadlocks, the risk to availability is high and immediate mitigation is recommended.

Generated by OpenCVE AI on April 29, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that moves the rx_wq flush after the request lock release, as referenced in the kernel commit logs (see the provided Git URLs).
  • If a patched kernel is not immediately available, temporarily disable the NFC NCI module or prevent NFC device usage until the patch can be applied. This reduces the attack surface by removing the code path that can deadlock.
  • After applying the patch or disabling the module, run comprehensive NCI self-tests to confirm that no deadlock occurs and that other NFC functionality remains intact.

Generated by OpenCVE AI on April 29, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 29 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.
Title nfc: nci: fix circular locking dependency in nci_close_device
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:10.109Z

Reserved: 2026-03-09T15:48:24.106Z

Link: CVE-2026-31509

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:49.947

Modified: 2026-04-28T15:02:57.200

Link: CVE-2026-31509

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31509 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses