Description
In the Linux kernel, the following vulnerability has been resolved:

NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device. The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).

ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this. This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.

Fix this by rejecting the response when the accumulated UID would exceed
the buffer.

Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Buffer overflow potential
Action: Apply patch
AI Analysis

Impact

The Linux kernel NFC driver accepts a cascade depth for NFC‑A anti‑collision that is driven entirely by the peer device, without checking against the three‑level limit defined by ISO 14443‑3. If a malicious partner keeps the cascade in motion, the driver appends three or four bytes to the target->nfcid1 field on each pass. Because target->nfcid1 is sized for only ten bytes, repeated rounds can overwrite adjacent heap memory. The CVE description states that the driver allows this overflow, implying a buffer overflow condition; however, the description does not explicitly confirm that this leads to arbitrary code execution, so that outcome is an inference.

Affected Systems

Linux kernel builds that enable the NFC digital driver are affected. The flaw exists in any kernel release before the commit that introduces bounds checking for the nfc_target arrays, which was merged for all standard distributions after the vulnerability was reported. Systems that have not upgraded to a patched kernel will still be vulnerable.

Risk and Exploitability

The vulnerability received a CVSS score of 8.8, indicating high severity. The EPSS score of less than 1% suggests that, at the time of analysis, exploitation attempts are infrequent. The most probable attack vector involves a physically proximate NFC‑capable device able to send a specially crafted message to the target system. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploit has been documented.

Generated by OpenCVE AI on April 28, 2026 at 13:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the bounds‑checking commit for NFC‑A cascade depth.
  • If an immediate kernel upgrade is not possible, disable NFC support by removing or masking the relevant kernel modules or via sysfs options so that the driver does not process external NFC traffic.
  • Verify that the kernel configuration does not enable the NFC stack unless it is required for the system’s operation, reducing the exposure to malicious NFC peers.

Generated by OpenCVE AI on April 28, 2026 at 13:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.
Title NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:22.270Z

Reserved: 2026-03-09T15:48:24.124Z

Link: CVE-2026-31622

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:41.487

Modified: 2026-04-28T14:14:07.097

Link: CVE-2026-31622

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31622 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses