{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31660", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:11.039Z", "dateUpdated": "2026-04-24T14:45:11.039Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:45:11.039Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/uart.c"], "versions": [{"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "8b71299d587d9e4c830c18afb884c80ddb30ad28", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "16649adc2e19509104245ea1f349b629d858f11f", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "07cb6c72e66ba548679f22ac29ad588da8999279", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "a9495069b43b8634c1ae0042e888766c34f66637", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "21ae2cda66a55c759607bbf1d23cbaa42019d2de", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "7e37da42eda45d7859d9273fc7e225d8df458038", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "c71ba669b570c7b3f86ec875be222ea11dacb352", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/uart.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"}, {"url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"}, {"url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"}, {"url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"}, {"url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"}, {"url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"}, {"url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"}, {"url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"}], "title": "nfc: pn533: allocate rx skb before consuming bytes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."}], "id": "CVE-2026-31660", "lastModified": "2026-04-24T17:51:40.810", "metrics": {}, "published": "2026-04-24T15:16:45.577", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}