{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31509", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.106Z", "datePublished": "2026-04-22T13:54:27.436Z", "dateUpdated": "2026-05-11T22:10:10.109Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:10.109Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "7ed00a3edc8597fe2333f524401e2889aa1b5edf", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "5eef9ebec7f5738f12cadede3545c05b34bf5ac3", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "ca54e904a071aa65ef3ad46ba42d51aaac6b73b4", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "eb435d150ca74b4d40f77f1a2266f3636ed64a79", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "d89b74bf08f067b55c03d7f999ba0a0e73177eb3", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "09143c0e8f3b03517e6233aad42f45c794d8df8e", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "4527025d440ce84bf56e75ce1df2e84cb8178616", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"}, {"url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"}, {"url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"}, {"url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"}, {"url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"}, {"url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"}, {"url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"}, {"url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"}], "title": "nfc: nci: fix circular locking dependency in nci_close_device", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8136AA8-F2F0-4960-9AAF-176AC6ACEA92", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*", "matchCriteriaId": "2BEBAC7C-43AE-4D02-A957-26F89F27E0AC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs."}], "id": "CVE-2026-31509", "lastModified": "2026-04-28T15:02:57.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:49.947", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfc: nci: fix circular locking dependency in nci_close_device", "id": "2460679", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460679"}, "csaw": false, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel, specifically within the Near Field Communication (NFC) NCI subsystem. A circular locking dependency can occur when the `nci_close_device()` function attempts to flush work queues while holding a lock that can be re-acquired by a work queue function. This improper handling of locks can lead to a system hang, resulting in a denial of service (DoS)."], "name": "CVE-2026-31509", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31509\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31509\nhttps://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31509-8609@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,7ed00a3edc8597fe2333f524401e2889aa1b5edf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,5eef9ebec7f5738f12cadede3545c05b34bf5ac3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,ca54e904a071aa65ef3ad46ba42d51aaac6b73b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,eb435d150ca74b4d40f77f1a2266f3636ed64a79)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,d89b74bf08f067b55c03d7f999ba0a0e73177eb3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,09143c0e8f3b03517e6233aad42f45c794d8df8e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,4527025d440ce84bf56e75ce1df2e84cb8178616)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:23:19.007444+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that moves the rx_wq flush after the request lock release, as referenced in the kernel commit logs (see the provided Git URLs).", "If a patched kernel is not immediately available, temporarily disable the NFC NCI module or prevent NFC device usage until the patch can be applied. This reduces the attack surface by removing the code path that can deadlock.", "After applying the patch or disabling the module, run comprehensive NCI self-tests to confirm that no deadlock occurs and that other NFC functionality remains intact."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via deadlock"}, "threat_synthesis": {"affected_systems": "All publicly available Linux kernel builds that include the NFC NCI subsystem prior to the patched code contain this flaw. No specific versions are listed, but the CPE indicates that every Linux kernel is potentially affected. Users of distributions shipping default kernels should verify that their kernel includes the patch that moves the rx queue flush after the request lock is released.", "description_and_impact": "The vulnerability arises from a circular locking dependency in the Linux kernel\u2019s NFC NCI subsystem. While closing an NCI device, the code flushes both the rx and tx work queues while still holding the request lock, allowing a worker on the rx queue to acquire the same lock and cause a deadlock. This misuse of the kernel\u2019s dispatch services also falls under CWE-833, because the subsystem attempts to perform work and lock operations in an improper order, leading to the same deadlock. The flaw also matches CWE-667, which describes deadlocks caused by incorrect lock ordering.", "risk_and_exploitability": "The EPSS score is < 1% (specifically 0.00032) and the flaw is not listed in the CISA KEV catalog, indicating a very low exploitation probability. The CVSS score of 5.5 indicates a medium severity centered on availability. The attack vector is likely local or device-based; a compromised NFC device or user with permissions to load NFC drivers could force the deadlock. Once triggered, the system may become unresponsive until rebooted. Given the critical nature of kernel deadlocks, the risk to availability is high and immediate mitigation is recommended."}}}}, "created": "2026-04-22T18:15:15.248525+00:00", "updated": "2026-04-29T02:30:07.586058+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}