CVE-2026-31629
Published: Apr 24, 2026
Modified: Jun 1, 2026
CVSS v3.1
8.8
Description
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected d646960f7986fefb460a2b062d5ccc8ccfeacc3a - < b2a23529593d011fb433a3d711fc597ed6a6bd2faffected d646960f7986fefb460a2b062d5ccc8ccfeacc3a - < 665315df9c3486cb213fc44d83cc8bcd47fe0d26affected d646960f7986fefb460a2b062d5ccc8ccfeacc3a - < 9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6affected d646960f7986fefb460a2b062d5ccc8ccfeacc3a - < 0eb1263a3b8c36418c9ba295c9ab3abed664edbfaffected d646960f7986fefb460a2b062d5ccc8ccfeacc3a - < 796e0cac058252d0ad34ebe288e6f7979b5fc9b2+4 more versions |
Linux | Linux | affected 3.3unaffected 0 - < 3.3unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.175 - <= 6.1.*+6 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now