Description
In the Linux kernel, the following vulnerability has been resolved:

NFC: pn533: bound the UART receive buffer

pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel NFC driver for the pn532 contains a flaw where each incoming UART byte is appended to a socket buffer (dev->recv_skb) without resetting until a complete frame header is detected. A continuous stream of bytes that does not form a valid PN532 frame header causes the buffer to grow until it reaches the tail limit defined by skb_put_u8(). This buffer overrun can consume kernel memory and, based on the description, it is inferred that an overflow may result in memory corruption or a system crash, leading to denial of service.

Affected Systems

All Linux kernel releases that include the pn532 NFC driver without the binding fix are affected, including active kernel branches up to Linux 7.0 release candidates. Any system running these kernels and using a pn532 NFC device is potentially exposed until the vendor’s patch is applied. The relevant patches and commit references are provided in the CVE references list.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of <1% reflects a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or device-controlled, requiring the attacker to inject malformed UART traffic to the pn532 device; based on the description, it is inferred that such an attack would need physical or direct device access. Although no public exploits have been reported, the potential for memory exhaustion warrants caution.

Generated by OpenCVE AI on May 9, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied kernel patch or update to a kernel version that includes the pn532 UART buffer binding fix.
  • If the pn532 device or driver is not required, unload or disable the pn532 NFC driver module to eliminate the risk.
  • As an interim measure, enforce device-side constraints or firmware limits that truncate the receive buffer when it reaches the predefined size, preventing uncontrolled buffer growth.

Generated by OpenCVE AI on May 9, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References

Fri, 01 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: NFC: pn533: bound the UART receive buffer pn532_receive_buf() appends every incoming byte to dev->recv_skb and only resets the buffer after pn532_uart_rx_is_frame() recognizes a complete frame. A continuous stream of bytes without a valid PN532 frame header therefore keeps growing the skb until skb_put_u8() hits the tail limit. Drop the accumulated partial frame once the fixed receive buffer is full so malformed UART traffic cannot grow the skb past PN532_UART_SKB_BUFF_LEN.
Title NFC: pn533: bound the UART receive buffer
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:23.913Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43032

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:47.787

Modified: 2026-05-08T18:39:32.083

Link: CVE-2026-43032

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43032 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:15:21Z

Weaknesses