{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31660", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:11.039Z", "dateUpdated": "2026-05-11T22:13:07.366Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:07.366Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/uart.c"], "versions": [{"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "8b71299d587d9e4c830c18afb884c80ddb30ad28", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "16649adc2e19509104245ea1f349b629d858f11f", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "07cb6c72e66ba548679f22ac29ad588da8999279", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "a9495069b43b8634c1ae0042e888766c34f66637", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "21ae2cda66a55c759607bbf1d23cbaa42019d2de", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "7e37da42eda45d7859d9273fc7e225d8df458038", "status": "affected", "versionType": "git"}, {"version": "c656aa4c27b17a8c70da223ed5ab42145800d6b5", "lessThan": "c71ba669b570c7b3f86ec875be222ea11dacb352", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/uart.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"}, {"url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"}, {"url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"}, {"url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"}, {"url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"}, {"url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"}, {"url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"}, {"url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"}], "title": "nfc: pn533: allocate rx skb before consuming bytes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45E871E1-B00E-4E88-83A3-60B38EAF2B8A", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*", "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: allocate rx skb before consuming bytes\n\npn532_receive_buf() reports the number of accepted bytes to the serdev\ncore. The current code consumes bytes into recv_skb and may already hand\na complete frame to pn533_recv_frame() before allocating a fresh receive\nbuffer.\n\nIf that alloc_skb() fails, the callback returns 0 even though it has\nalready consumed bytes, and it leaves recv_skb as NULL for the next\nreceive callback. That breaks the receive_buf() accounting contract and\ncan also lead to a NULL dereference on the next skb_put_u8().\n\nAllocate the receive skb lazily before consuming the next byte instead.\nIf allocation fails, return the number of bytes already accepted."}], "id": "CVE-2026-31660", "lastModified": "2026-04-27T20:17:30.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:45.577", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfc: pn533: allocate rx skb before consuming bytes", "id": "2461486", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461486"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's Near Field Communication (NFC) pn533 driver. This vulnerability arises from an issue in how the driver manages receive buffers. When processing incoming data, the driver may attempt to write to a non-existent buffer if a new one fails to allocate. This can lead to a system crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-31660", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31660\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31660\nhttps://lore.kernel.org/linux-cve-announce/2026042403-CVE-2026-31660-9293@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,8b71299d587d9e4c830c18afb884c80ddb30ad28)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,16649adc2e19509104245ea1f349b629d858f11f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,07cb6c72e66ba548679f22ac29ad588da8999279)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,a9495069b43b8634c1ae0042e888766c34f66637)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,21ae2cda66a55c759607bbf1d23cbaa42019d2de)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,7e37da42eda45d7859d9273fc7e225d8df458038)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c656aa4c27b17a8c70da223ed5ab42145800d6b5,c71ba669b570c7b3f86ec875be222ea11dacb352)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.169,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.135,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:45:07.552300+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel version that includes the fix for the pn533 allocation issue (e.g., the commit referenced in the NVD advisories).", "If a kernel update is not feasible, disable the NFC driver by removing the module or blocking the device interface, thereby preventing interaction with pn533. ", "Ensure the system is not subjected to high memory pressure that could cause alloc_skb failures, and consider adding safeguards such as a systemd service that monitors NFC traffic and limits allocation attempts."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "This issue affects any Linux kernel that includes pn533 support, including kernel versions 5.5 and the 7.0 release candidates 1 through 7, as well as future Linux kernel releases. The affected product is the Linux kernel's NFC subsystem, and the vulnerability is tied to the pn533 driver. Systems that expose the NFC functionality are in scope.", "description_and_impact": "The vulnerability resides in the pn533 NFC driver in the Linux kernel. The driver incorrectly allocates a receive buffer (rx skb) only after consuming incoming bytes. If the memory allocation fails, the driver reports zero bytes received while some bytes have already been consumed, leaving the receive buffer pointer NULL for the next callback. During the subsequent processing of the next byte, the driver performs a dereference of this NULL pointer, which causes a kernel fault and results in a system crash. This constitutes a NULL pointer dereference (CWE\u2011476) and can be triggered by sending malformed frames to the NFC device.", "risk_and_exploitability": "The CVSS score is 5.5, indicating moderate severity, while the EPSS score is below 1\u202f%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker able to communicate with the pn533 NFC device, such as a malicious NFC tag or a device that can inject frames into the driver. Since the bug arises from a failed memory allocation, the attacker would need to maneuver the system into memory pressure or supply specially crafted frames to trigger the fault. Administrators should therefore apply the latest kernel patch that fixes the allocation logic, or disable the NFC driver if the functionality is unnecessary."}}}}, "created": "2026-04-27T21:45:14.290803+00:00", "updated": "2026-04-28T14:00:16.474487+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}