CVE-2026-31545 Overview
CVE-2026-31545 is a vulnerability in the Linux kernel's NFC nxp-nci driver that improperly handles GPIO operations for firmware and enable GPIOs. The driver fails to allow GPIOs to sleep, which triggers a kernel WARN_ON condition when operating GPIOs connected to I2C GPIO expanders. This can result in system instability and denial of service conditions on affected Linux systems utilizing NXP NCI-based NFC hardware.
Critical Impact
Local attackers with low privileges can cause kernel warnings and driver malfunction, potentially leading to system instability and denial of service on systems using NXP NCI NFC hardware with I2C GPIO expanders.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc4
- Systems with NXP NCI-based NFC controllers using I2C GPIO expanders
Discovery Timeline
- April 24, 2026 - CVE-2026-31545 published to NVD
- April 28, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31545
Vulnerability Analysis
This vulnerability stems from the nxp-nci NFC driver's use of gpiod_set_value() instead of gpiod_set_value_cansleep() for controlling firmware and enable GPIOs. In the Linux kernel GPIO subsystem, gpiod_set_value() is designed for GPIOs that can be accessed atomically without sleeping, while gpiod_set_value_cansleep() is required for GPIOs that may need to sleep during access—such as those connected through I2C GPIO expanders.
When the driver attempts to set GPIO values on a "sleepy" GPIO (one that requires sleeping to complete the operation), the kernel's GPIO library triggers a WARN_ON at drivers/gpio/gpiolib.c:3880. This warning indicates improper use of the non-sleeping GPIO API and can cause the NFC driver to malfunction.
The impact is primarily availability-focused, as the vulnerability can cause kernel warnings and driver failures but does not directly enable arbitrary code execution or data disclosure.
Root Cause
The root cause is the use of inappropriate GPIO accessor functions in the nxp-nci driver. The gpiod_set_value() function includes a safety check that triggers a warning when called on GPIOs that may sleep. The driver should use gpiod_set_value_cansleep() to properly handle GPIOs connected to I2C expanders or other slow-access GPIO controllers that require the calling context to be able to sleep.
Attack Vector
Exploitation of this vulnerability requires local access to the system. An attacker with low-level privileges could potentially trigger the vulnerable code path by interacting with the NFC subsystem on a system configured with NXP NCI hardware using I2C GPIO expanders. The attack does not require user interaction and can lead to kernel warnings, driver malfunction, and potential system instability.
The vulnerability is triggered when:
- The nxp-nci driver initializes or controls the NFC hardware
- GPIO operations are performed on firmware or enable pins
- The underlying GPIO controller requires sleeping (e.g., I2C-connected GPIO expander)
Detection Methods for CVE-2026-31545
Indicators of Compromise
- Kernel log messages containing WARNING: CPU: X PID: X at drivers/gpio/gpiolib.c:3880 gpiod_set_value
- NFC subsystem failures or unexpected behavior related to nxp-nci driver
- System instability correlated with NFC hardware initialization or usage
Detection Strategies
- Monitor kernel logs for WARN_ON messages originating from gpiod_set_value in gpiolib.c
- Audit systems for NXP NCI NFC hardware configurations using I2C GPIO expanders
- Implement kernel tracing on GPIO operations within the nxp-nci driver module
Monitoring Recommendations
- Configure syslog or journald to alert on kernel warnings from the GPIO subsystem
- Monitor NFC subsystem availability and driver health through systemd service status
- Deploy endpoint detection capable of correlating kernel warning patterns with NFC driver activity
How to Mitigate CVE-2026-31545
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Temporarily disable NFC functionality if not required and running vulnerable configurations
- Review system hardware configurations to identify affected NXP NCI NFC setups with I2C GPIO expanders
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix modifies the nxp-nci driver to use gpiod_set_value_cansleep() instead of gpiod_set_value() for GPIO operations, properly handling GPIOs that may require sleeping.
Patches are available from the following kernel git commits:
- Kernel Git Commit Change 1
- Kernel Git Commit Change 2
- Kernel Git Commit Change 3
- Kernel Git Commit Change 4
- Kernel Git Commit Change 5
- Kernel Git Commit Change 6
- Kernel Git Commit Change 7
- Kernel Git Commit Change 8
Workarounds
- Blacklist or unload the nxp-nci kernel module if NFC functionality is not required: modprobe -r nxp-nci
- If using I2C GPIO expanders with NFC hardware, consider alternative GPIO configurations where possible
- Prioritize kernel updates for systems actively using NXP NCI NFC hardware
# Temporarily disable nxp-nci module
echo "blacklist nxp-nci" >> /etc/modprobe.d/nfc-disable.conf
modprobe -r nxp-nci
# Verify module is unloaded
lsmod | grep nxp
# After patching, re-enable by removing the blacklist
rm /etc/modprobe.d/nfc-disable.conf
modprobe nxp-nci
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
