Description
In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: allocate rx skb before consuming bytes

pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.

If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Kernel Crash)
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the pn533 NFC driver in the Linux kernel. The driver incorrectly allocates a receive buffer (rx skb) only after consuming incoming bytes. If the memory allocation fails, the driver reports zero bytes received while some bytes have already been consumed, leaving the receive buffer pointer NULL for the next callback. During the subsequent processing of the next byte, the driver performs a dereference of this NULL pointer, which causes a kernel fault and results in a system crash. This constitutes a NULL pointer dereference (CWE‑476) and can be triggered by sending malformed frames to the NFC device.

Affected Systems

This issue affects any Linux kernel that includes pn533 support, including kernel versions 5.5 and the 7.0 release candidates 1 through 7, as well as future Linux kernel releases. The affected product is the Linux kernel's NFC subsystem, and the vulnerability is tied to the pn533 driver. Systems that expose the NFC functionality are in scope.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, while the EPSS score is below 1 %, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker able to communicate with the pn533 NFC device, such as a malicious NFC tag or a device that can inject frames into the driver. Since the bug arises from a failed memory allocation, the attacker would need to maneuver the system into memory pressure or supply specially crafted frames to trigger the fault. Administrators should therefore apply the latest kernel patch that fixes the allocation logic, or disable the NFC driver if the functionality is unnecessary.

Generated by OpenCVE AI on April 28, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the fix for the pn533 allocation issue (e.g., the commit referenced in the NVD advisories).
  • If a kernel update is not feasible, disable the NFC driver by removing the module or blocking the device interface, thereby preventing interaction with pn533.
  • Ensure the system is not subjected to high memory pressure that could cause alloc_skb failures, and consider adding safeguards such as a systemd service that monitors NFC traffic and limits allocation attempts.

Generated by OpenCVE AI on April 28, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: allocate rx skb before consuming bytes pn532_receive_buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.
Title nfc: pn533: allocate rx skb before consuming bytes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:07.366Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31660

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:45.577

Modified: 2026-04-27T20:17:30.450

Link: CVE-2026-31660

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31660 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses