{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31629", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.124Z", "datePublished": "2026-04-24T14:42:49.849Z", "dateUpdated": "2026-05-11T22:12:30.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:30.689Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/llcp_core.c"], "versions": [{"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "0eb1263a3b8c36418c9ba295c9ab3abed664edbf", "status": "affected", "versionType": "git"}, {"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "796e0cac058252d0ad34ebe288e6f7979b5fc9b2", "status": "affected", "versionType": "git"}, {"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "8977fad2b3c6eefd414131168d597c5d1d5e1abf", "status": "affected", "versionType": "git"}, {"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "ff3d9e8f7244293e303f7b6ef70774291c7c27e9", "status": "affected", "versionType": "git"}, {"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "aba4712e8f0381cd5d196534ce2ad082626a5ab6", "status": "affected", "versionType": "git"}, {"version": "d646960f7986fefb460a2b062d5ccc8ccfeacc3a", "lessThan": "2b5dd4632966c39da6ba74dbc8689b309065e82c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/llcp_core.c"], "versions": [{"version": "3.3", "status": "affected"}, {"version": "0", "lessThan": "3.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf"}, {"url": "https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2"}, {"url": "https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf"}, {"url": "https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"}, {"url": "https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6"}, {"url": "https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c"}], "title": "nfc: llcp: add missing return after LLCP_CLOSED checks", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAB12062-558C-4570-A908-D71195858ADA", "versionEndExcluding": "6.6.136", "versionStartIncluding": "3.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through."}], "id": "CVE-2026-31629", "lastModified": "2026-04-27T20:36:33.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:42.217", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfc: llcp: add missing return after LLCP_CLOSED checks", "id": "2461553", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461553"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's Near Field Communication (NFC) Logical Link Control Protocol (LLCP) subsystem. Missing return statements after LLCP_CLOSED checks in the nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions can lead to a use-after-free vulnerability. This occurs because the system attempts to release resources twice, causing a reference count underflow. An attacker could potentially exploit this to cause a denial of service or other system instability."], "name": "CVE-2026-31629", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31629\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31629\nhttps://lore.kernel.org/linux-cve-announce/2026042428-CVE-2026-31629-84ab@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,0eb1263a3b8c36418c9ba295c9ab3abed664edbf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,796e0cac058252d0ad34ebe288e6f7979b5fc9b2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,8977fad2b3c6eefd414131168d597c5d1d5e1abf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,ff3d9e8f7244293e303f7b6ef70774291c7c27e9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,aba4712e8f0381cd5d196534ce2ad082626a5ab6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d646960f7986fefb460a2b062d5ccc8ccfeacc3a,2b5dd4632966c39da6ba74dbc8689b309065e82c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.1-rc1,*)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:55:32.768205+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that incorporates the patch adding the missing returns to nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc().", "If an immediate kernel upgrade is not possible, disable NFC LLCP services or block NFC traffic to eliminate the code paths that can trigger the double release.", "After updating or disabling the service, monitor system logs for any indications of kernel panics or use\u2011after\u2011free errors to verify that the issue no longer occurs."], "summary": {"action": "Patch immediately", "impact": "Use-after-Free"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel builds that include the buggy nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions. Any distribution that has not applied the patch commit adding the missing return statements remains vulnerable. The issue is present in the mainline kernel source before the upstream fix.", "description_and_impact": "In the Linux kernel's NFC LLCP implementation, two functions incorrectly fall through after handling a closed socket state. The code calls release_sock() and nfc_llcp_sock_put() twice, causing a reference count underflow and a use\u2011after\u2011free. This memory corruption can allow an attacker to execute arbitrary code or crash the system if the double release is triggered during normal operation.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% shows a low probability of real\u2011world exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the code path, the attack likely requires local or privileged access to trigger the double release; remote exploitation would need a vector that can manipulate NFC LLCP traffic against the target kernel."}}}}, "created": "2026-04-27T18:45:11.326007+00:00", "updated": "2026-04-28T14:00:16.506075+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}