CVE-2026-31622 Overview
CVE-2026-31622 is a heap buffer overflow vulnerability in the Linux kernel's NFC digital protocol stack [CWE-120]. The flaw resides in digital_in_recv_sdd_res(), which handles NFC-A anti-collision Single Device Detection (SDD) responses. The function appends 3 or 4 bytes to target->nfcid1 on each cascade round without validating the total accumulated length. A malicious NFC peer can drive an unbounded number of cascade rounds, writing past the fixed-size NFC_NFCID1_MAXSIZE (10 bytes) buffer in the heap-allocated nfc_target structure.
Critical Impact
An adjacent attacker with NFC range to a vulnerable Linux device can corrupt kernel heap memory, potentially leading to kernel code execution or denial of service.
Affected Products
- Linux Kernel (NFC digital driver subsystem)
- Distributions shipping affected stable kernel branches prior to the fix commits
- Systems with NFC hardware exposing the digital protocol stack
Discovery Timeline
- 2026-04-24 - CVE-2026-31622 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31622
Vulnerability Analysis
The NFC-A anti-collision protocol uses a cascade mechanism to resolve target Unique Identifiers (UIDs). Each cascade level returns either 3 bytes plus a cascade tag indicating more levels follow, or 4 bytes representing the final portion. ISO 14443-3 caps NFC-A at three cascade levels, sizing target->nfcid1 to 10 bytes via NFC_NFCID1_MAXSIZE.
The driver function digital_in_recv_sdd_res() trusts peer-controlled fields to determine cascade behavior. The peer sets the cascade tag in the SDD_RES frame, controlling whether 3 or 4 bytes get appended. It also controls the cascade-incomplete bit in the SEL_RES frame, deciding whether another cascade round follows. No driver-side check enforces the three-level ISO limit.
A related issue on the NCI path was previously addressed by commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays"), but the equivalent check was missing in the digital protocol path.
Root Cause
The root cause is missing bounds validation on attacker-controlled cascade depth. The driver concatenates UID fragments into a fixed-size buffer using a loop count derived entirely from peer-supplied protocol fields. This is a classic heap buffer overflow [CWE-120] where the trust boundary between hardware peer and kernel memory is improperly enforced.
Attack Vector
Exploitation requires proximity within NFC range (typically less than 10 cm) to a target device with an active NFC reader. No authentication or user interaction is required. A rogue NFC tag emulator or hostile NFC device repeatedly sets the cascade tag and cascade-incomplete bit, forcing the kernel to append additional UID bytes past the buffer boundary. Each round writes 3 or 4 bytes into adjacent heap memory.
The fix rejects any SDD response where the accumulated UID length would exceed NFC_NFCID1_MAXSIZE. See the kernel patch commit 1bec569 for the canonical fix.
Detection Methods for CVE-2026-31622
Indicators of Compromise
- Unexpected kernel oops, panic, or slab-out-of-bounds KASAN reports referencing digital_in_recv_sdd_res or nfc_target in stack traces
- Repeated NFC polling sessions with anomalous cascade lengths logged by the NFC subsystem
- Heap corruption symptoms (random crashes, memory allocator warnings) on devices with active NFC interfaces
Detection Strategies
- Monitor dmesg and journalctl -k for NFC subsystem warnings and KASAN reports involving nfcid1 writes
- Audit running kernel versions across the fleet against the stable kernel commits listed in the advisory
- Use kernel runtime integrity tooling to flag corruption in NFC-related heap objects
Monitoring Recommendations
- Inventory all Linux endpoints with NFC hardware enabled and the nfc kernel module loaded
- Correlate NFC driver activity with proximity-based access events in physical security logs
- Track package update status for kernel updates across distributions shipping NFC support
How to Mitigate CVE-2026-31622
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the advisory to all affected systems
- Where patching is not immediate, unload the NFC digital driver module on systems that do not require NFC functionality
- Disable NFC hardware in BIOS/UEFI or via systemd-rfkill on devices where the feature is unused
Patch Information
The upstream fix adds a bounds check that rejects any SDD response producing an accumulated UID larger than NFC_NFCID1_MAXSIZE. Patches are available across stable kernel branches via commits 1bec569, 2819f34, 46ce8be, 5a59bf7, 8d9d9bf, and cc024a3.
Workarounds
- Blacklist the nfc and nfc_digital kernel modules on systems that do not need NFC
- Physically disable or shield NFC antennas on critical endpoints until kernels are patched
- Restrict physical access to devices with NFC hardware to reduce exposure to adjacent-network exploitation
# Configuration example: blacklist NFC kernel modules
echo 'blacklist nfc' | sudo tee /etc/modprobe.d/disable-nfc.conf
echo 'blacklist nfc_digital' | sudo tee -a /etc/modprobe.d/disable-nfc.conf
sudo modprobe -r nfc_digital nfc 2>/dev/null
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
