CVE-2026-31509 Overview
A circular locking dependency vulnerability has been identified in the Linux kernel's NFC NCI (NFC Controller Interface) subsystem. The flaw exists in the nci_close_device() function, which flushes rx_wq and tx_wq work queues while holding the req_lock mutex. This creates a deadlock condition because nci_rx_work() running on rx_wq can also attempt to acquire the same lock through a chain of function calls.
Critical Impact
This vulnerability can cause system deadlock conditions when NFC operations are performed, potentially leading to denial of service. The issue has been observed occurring in approximately 4% of NCI selftest runs with debug kernels.
Affected Products
- Linux Kernel (NFC NCI subsystem)
- Systems with NFC controller interface support enabled
- Debug kernel builds running NCI selftests
Discovery Timeline
- April 22, 2026 - CVE-2026-31509 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31509
Vulnerability Analysis
The vulnerability stems from improper lock ordering in the NFC NCI device closure path. When nci_close_device() is called, it holds the req_lock mutex while attempting to flush the receive and transmit work queues. However, work items running on these queues can also attempt to acquire the same lock, creating a circular dependency that results in a deadlock.
The problematic execution path occurs through the following call chain: nci_rx_work → nci_rx_data_packet → nci_data_exchange_complete → __sk_destruct → rawsock_destruct → nfc_deactivate_target → nci_deactivate_target → nci_request → mutex_lock(&ndev->req_lock).
This race condition manifests particularly under debug kernel configurations where additional validation and timing changes increase the probability of the circular lock being triggered. The NIPA (Network Infrastructure for Automated Testing) framework has observed this failure occurring in roughly 4% of test runs.
Root Cause
The root cause is a lock ordering violation where the nci_close_device() function holds req_lock while flushing work queues that may independently attempt to acquire the same lock. This creates an ABBA deadlock scenario: Thread A holds req_lock and waits for work queue flush, while Thread B (work queue) waits to acquire req_lock.
Attack Vector
This vulnerability is primarily a reliability and availability issue rather than a security exploit vector. The deadlock condition can be triggered through normal NFC device operations, particularly during device close sequences when pending work items are being processed. While not directly exploitable for code execution, the resulting system hang could cause denial of service conditions on systems utilizing NFC functionality.
The fix involves reordering the lock acquisition by moving the flush of rx_wq after the req_lock has been released. This is considered safe because the NCI_UP flag has already been cleared and the transport is closed at that point, causing any pending work to see the state and return -ENETDOWN.
Detection Methods for CVE-2026-31509
Indicators of Compromise
- System hangs or freezes during NFC device operations
- Kernel lockup warnings in system logs related to NCI subsystem
- Hung task timeouts involving nci_close_device or nci_rx_work functions
- Increased occurrence of NFC-related selftest failures
Detection Strategies
- Monitor kernel logs for circular lock dependency warnings using lockdep
- Enable kernel lock debugging options to detect potential deadlock scenarios
- Review system logs for hung task warnings involving NFC/NCI subsystem functions
- Implement automated testing with debug kernels to identify locking issues
Monitoring Recommendations
- Deploy kernel instrumentation to track req_lock acquisition patterns in NCI subsystem
- Enable CONFIG_PROVE_LOCKING and CONFIG_DEBUG_LOCK_ALLOC for development systems
- Monitor NFC device close operations for abnormal timing or hangs
- Set up alerting for kernel hung task detector events related to NFC workqueues
How to Mitigate CVE-2026-31509
Immediate Actions Required
- Apply the kernel patch that reorders the work queue flush operation
- Update to a patched Linux kernel version containing the fix
- Consider temporarily disabling NFC functionality on critical systems until patched
- Monitor affected systems for signs of deadlock conditions
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix involves moving the rx_wq flush operation to occur after the req_lock mutex has been released, eliminating the circular dependency. Multiple stable kernel branches have received this fix:
- Kernel Git Commit 09143c0
- Kernel Git Commit 1edc12d
- Kernel Git Commit 4527025
- Kernel Git Commit 5eef9eb
- Kernel Git Commit 7ed00a3
- Kernel Git Commit ca54e90
- Kernel Git Commit d89b74b
- Kernel Git Commit eb435d1
Workarounds
- Disable NFC subsystem if not required: unload nci and related NFC kernel modules
- Avoid frequent NFC device open/close cycles that may trigger the race condition
- Compile kernel without NFC support (CONFIG_NFC=n) for systems not requiring NFC functionality
- Implement application-level serialization of NFC operations to reduce concurrent access
# Disable NFC kernel modules as a temporary workaround
modprobe -r nci
modprobe -r nfc
# Add to /etc/modprobe.d/nfc-disable.conf to persist across reboots
echo "blacklist nci" >> /etc/modprobe.d/nfc-disable.conf
echo "blacklist nfc" >> /etc/modprobe.d/nfc-disable.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
