{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23291", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:49.634Z", "dateUpdated": "2026-05-11T22:04:02.263Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:02.263Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: properly drop the usb interface reference on disconnect\n\nWhen the device is disconnected from the driver, there is a \"dangling\"\nreference count on the usb interface that was grabbed in the probe\ncallback. Fix this up by properly dropping the reference after we are\ndone with it."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/usb.c"], "versions": [{"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "6645b030b0c1fc5bf338bffb0044238f24b2f770", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "5be8aa2bcfb53158436182db8dee9d0b8e5901e6", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "7398d6570501edc55a50ece820f369ab3c1df2e7", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "7ff14eb070f0efecb2606f8d7aa01b77d188e886", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "00477cab053dc4816b99141d8fcca7a479cfebeb", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74", "status": "affected", "versionType": "git"}, {"version": "c46ee38620a2aa2b25b16bc9738ace80dbff76a4", "lessThan": "12133a483dfa832241fbbf09321109a0ea8a520e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/nfc/pn533/usb.c"], "versions": [{"version": "3.1", "status": "affected"}, {"version": "0", "lessThan": "3.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6645b030b0c1fc5bf338bffb0044238f24b2f770"}, {"url": "https://git.kernel.org/stable/c/5be8aa2bcfb53158436182db8dee9d0b8e5901e6"}, {"url": "https://git.kernel.org/stable/c/7398d6570501edc55a50ece820f369ab3c1df2e7"}, {"url": "https://git.kernel.org/stable/c/d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0"}, {"url": "https://git.kernel.org/stable/c/7ff14eb070f0efecb2606f8d7aa01b77d188e886"}, {"url": "https://git.kernel.org/stable/c/00477cab053dc4816b99141d8fcca7a479cfebeb"}, {"url": "https://git.kernel.org/stable/c/4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74"}, {"url": "https://git.kernel.org/stable/c/12133a483dfa832241fbbf09321109a0ea8a520e"}], "title": "nfc: pn533: properly drop the usb interface reference on disconnect", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: properly drop the usb interface reference on disconnect\n\nWhen the device is disconnected from the driver, there is a \"dangling\"\nreference count on the usb interface that was grabbed in the probe\ncallback. Fix this up by properly dropping the reference after we are\ndone with it."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfc: pn533: soltar correctamente la referencia de la interfaz USB al desconectarse\n\nCuando el dispositivo se desconecta del controlador, hay un contador de referencias 'colgante' en la interfaz USB que fue obtenida en la funci\u00f3n de devoluci\u00f3n de llamada de sondeo. Solucionar esto soltando correctamente la referencia despu\u00e9s de que hayamos terminado con ella."}], "id": "CVE-2026-23291", "lastModified": "2026-04-18T09:16:17.077", "metrics": {}, "published": "2026-03-25T11:16:24.197", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/00477cab053dc4816b99141d8fcca7a479cfebeb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/12133a483dfa832241fbbf09321109a0ea8a520e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5be8aa2bcfb53158436182db8dee9d0b8e5901e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6645b030b0c1fc5bf338bffb0044238f24b2f770"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7398d6570501edc55a50ece820f369ab3c1df2e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ff14eb070f0efecb2606f8d7aa01b77d188e886"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nfc: pn533: properly drop the usb interface reference on disconnect", "id": "2451186", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451186"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's `nfc: pn533` driver. When a device is disconnected, a reference count on the USB interface is not properly dropped, leading to a dangling reference. This resource management issue may lead to system instability or a denial of service (DoS)."], "name": "CVE-2026-23291", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23291\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23291\nhttps://lore.kernel.org/linux-cve-announce/2026032525-CVE-2026-23291-eae3@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,7398d6570501edc55a50ece820f369ab3c1df2e7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,7ff14eb070f0efecb2606f8d7aa01b77d188e886)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,00477cab053dc4816b99141d8fcca7a479cfebeb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c46ee38620a2aa2b25b16bc9738ace80dbff76a4,12133a483dfa832241fbbf09321109a0ea8a520e)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:26:16.603254+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the patched pn533 driver.", "If an immediate kernel update is unavailable, disable or unload the pn533 driver until a patch is applied.", "Verify that the device no longer causes kernel crashes after the update or disablement."], "summary": {"action": "Update Kernel", "impact": "Denial of Service (kernel crash due to dangling USB interface reference)"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel that contain the pn533 NFC driver before the patch are potentially affected. No precise kernel release is listed, so any deployment that includes the original probe implementation is at risk.", "description_and_impact": "The vulnerability involves a dangling reference count on the USB interface used by the NFC PN533 driver in the Linux kernel. When the device is disconnected, the driver fails to release the reference that was taken during probe, leaving a stray count. Based on the description, such an unresolved reference can lead the kernel to operate on freed or invalid memory, potentially causing a kernel crash and resulting in a denial\u2011of\u2011service.", "risk_and_exploitability": "The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. The flaw requires local access to a system with the NFC device; the attacker would need to physically or virtually disconnect the device to trigger the failing reference count. The likely attack vector is local device disconnection, making external exploitation unlikely. The potential impact if exploited is a kernel crash that could render the system unusable until reboot."}}}}, "created": "2026-03-25T21:15:39.373907+00:00", "updated": "2026-03-27T09:50:14.165055+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}