CVE-2026-43098 - Vulnerability Details

- nfc: s3fwrn5: allocate rx skb before consuming bytes

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: s3fwrn5: allocate rx skb before consuming bytes

s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already
deliver a complete frame before allocating a fresh receive buffer.

If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux NFC s3fwrn5 driver fails to properly handle allocation failures. When a call to alloc_skb() returns NULL, the driver still reports that a frame has been consumed and may leave the receive buffer pointer as NULL. The next use of skb_put_u8() dereferences this NULL pointer, causing a kernel panic. This results in a system crash and loss of availability for the affected host.

Affected Systems

All Linux kernel implementations that include the NFC s3fwrn5 driver are affected, regardless of vendor. The vulnerability is present in the mainline kernel until a patch that lazily allocates the receive skb before consuming bytes is applied. No specific version information is provided, so any kernel version that ships a version of the driver that contains the flaw is impacted.

Risk and Exploitability

The exploit environment requires the attacker to be able to generate or influence NFC data processed by the s3fwrn5 driver. The exact attack vector – whether local, network, or physical – is not explicitly detailed but the kernel-level nature of the flaw suggests a local or remote application with access to the NFC device could trigger it. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Nonetheless, a successful NULL‑dereference results in a kernel panic, so the impact is a denial‑of‑service of the affected machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3f52c2cb7e3ada37513dabb69a22cf917dba754f`	affected	< d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156
`3f52c2cb7e3ada37513dabb69a22cf917dba754f`	affected	< 7c31f7a599cf00fad3c204092a91a924126c67e4
`3f52c2cb7e3ada37513dabb69a22cf917dba754f`	affected	< 6d931680a9851481c3243689488eafed08eeff71
`3f52c2cb7e3ada37513dabb69a22cf917dba754f`	affected	< 09822d3d6f68a0cdc4626e0c507324a4927f55a9
`3f52c2cb7e3ada37513dabb69a22cf917dba754f`	affected	< 5c14a19d5b1645cce1cb1252833d70b23635b632

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3f52c2cb7e3ada37513dabb69a22cf917dba754f,d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156)`	affected	code_commit	—
`[3f52c2cb7e3ada37513dabb69a22cf917dba754f,7c31f7a599cf00fad3c204092a91a924126c67e4)`	affected	code_commit	—
`[3f52c2cb7e3ada37513dabb69a22cf917dba754f,6d931680a9851481c3243689488eafed08eeff71)`	affected	code_commit	—
`[3f52c2cb7e3ada37513dabb69a22cf917dba754f,09822d3d6f68a0cdc4626e0c507324a4927f55a9)`	affected	code_commit	—
`[3f52c2cb7e3ada37513dabb69a22cf917dba754f,5c14a19d5b1645cce1cb1252833d70b23635b632)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.11`	affected	semver	—
`[0,5.11)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the fix (e.g., integrates commit 09822d3d6f68a0cdc4626e0c507324a4927f55a9).
If an immediate kernel upgrade cannot be performed, disable the NFC s3fwrn5 driver by removing or blacklisting the module or by disabling the NFC hardware in the system.
Restrict access to NFC devices by configuring appropriate capabilities or ACLs so that only trusted processes can interact with the driver.
Monitor system logs for kernel panic events related to NFC to detect potential exploitation attempts.

Generated by OpenCVE AI on May 6, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9
https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632
https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71
https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4
https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156

History

Wed, 06 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 06 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: s3fwrn5: allocate rx skb before consuming bytes s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.
Title		nfc: s3fwrn5: allocate rx skb before consuming bytes
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9 https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632 https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71 https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4 https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T07:40:28.845Z

Updated: 2026-05-06T07:40:28.845Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43098

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-06T10:16:23.250

Modified: 2026-05-06T10:16:23.250

Link: CVE-2026-43098

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T12:15:03Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object