CVE-2026-31629 Overview
A use-after-free vulnerability exists in the Linux kernel's NFC LLCP (Logical Link Control Protocol) subsystem. The flaw resides in the nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions, where missing return statements after handling LLCP_CLOSED socket states result in double release operations on socket resources. This leads to a refcount underflow and subsequent use-after-free condition that can be exploited by an attacker with adjacent network access.
Critical Impact
Adjacent network attackers can exploit this use-after-free vulnerability to achieve high-impact compromise of confidentiality, integrity, and availability on affected Linux kernel systems with NFC capabilities.
Affected Products
- Linux Kernel (multiple versions)
- Systems with NFC hardware and LLCP subsystem enabled
- Devices utilizing NFC communication protocols
Discovery Timeline
- April 24, 2026 - CVE-2026-31629 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31629
Vulnerability Analysis
The vulnerability is classified as CWE-667 (Improper Locking), manifesting as a use-after-free condition in the Linux kernel's NFC LLCP implementation. When the socket state is LLCP_CLOSED, the affected functions correctly invoke release_sock() and nfc_llcp_sock_put() to clean up resources. However, due to missing return statements, execution continues past these cleanup operations and falls through to subsequent code paths that perform the same cleanup operations again.
This double invocation of release_sock() results in improper lock state, while the double call to nfc_llcp_sock_put() causes a reference count underflow. When the refcount drops below zero, the socket structure may be freed prematurely while still being referenced, creating a classic use-after-free scenario.
The vulnerability can be triggered from an adjacent network position, requiring no privileges or user interaction. An attacker within NFC communication range could craft malicious LLCP packets to trigger the vulnerable code path and exploit the use-after-free condition.
Root Cause
The root cause is a control flow error in the nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions within the Linux kernel's NFC subsystem. When checking for the LLCP_CLOSED socket state, the code branches handle cleanup operations but fail to include return statements. This allows execution to fall through to the remainder of the function, which contains duplicate cleanup calls. The missing returns result in double-release and refcount underflow conditions that corrupt kernel memory state.
Attack Vector
The attack vector requires adjacent network access, specifically physical proximity to the target device's NFC hardware. An attacker can exploit this vulnerability by:
- Establishing NFC communication with a vulnerable device
- Manipulating the LLCP connection state to trigger the LLCP_CLOSED condition
- Sending crafted HDLC frames or disconnect messages that invoke the vulnerable functions
- Exploiting the resulting use-after-free to achieve arbitrary code execution or denial of service
The vulnerability is exploitable without authentication or user interaction, though it requires the attacker to be within NFC communication range (typically a few centimeters).
Detection Methods for CVE-2026-31629
Indicators of Compromise
- Kernel panic or crash logs referencing NFC LLCP subsystem functions such as nfc_llcp_recv_hdlc or nfc_llcp_recv_disc
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in NFC-related kernel memory regions
- Unexpected refcount warnings or underflow messages in kernel logs related to NFC sockets
- System instability when NFC hardware is in use or when processing LLCP connections
Detection Strategies
- Enable KASAN in kernel debug builds to detect use-after-free memory access patterns in the NFC subsystem
- Monitor kernel log messages (dmesg) for NFC LLCP-related panics, refcount warnings, or memory corruption indicators
- Implement runtime kernel integrity monitoring to detect exploitation attempts targeting NFC subsystem memory
- Deploy network monitoring at the NFC layer to identify anomalous LLCP packet patterns or connection state manipulation
Monitoring Recommendations
- Configure kernel logging to capture NFC subsystem events at verbose levels for forensic analysis
- Implement system health monitoring to alert on unexpected kernel crashes or memory-related errors
- Monitor for suspicious NFC activity patterns that could indicate exploitation attempts
- Audit kernel versions across the infrastructure to identify systems running vulnerable code
How to Mitigate CVE-2026-31629
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- If patching is not immediately possible, consider disabling NFC functionality on critical systems
- Review and restrict physical access to systems with NFC capabilities to reduce adjacent network exposure
- Monitor affected systems for signs of exploitation while preparing patch deployment
Patch Information
The Linux kernel maintainers have released patches that add the missing return statements after the LLCP_CLOSED state handling in both nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions. Multiple stable kernel branches have received fixes:
- Kernel patch commit 0eb1263a3b8c
- Kernel patch commit 2b5dd4632966
- Kernel patch commit 796e0cac0582
- Kernel patch commit 8977fad2b3c6
- Kernel patch commit aba4712e8f03
- Kernel patch commit ff3d9e8f7244
Organizations should apply the appropriate patch for their kernel version through standard update mechanisms.
Workarounds
- Disable NFC functionality at the kernel level by blacklisting NFC modules: add blacklist nfc and blacklist nfc_llcp to /etc/modprobe.d/blacklist.conf
- Physically disable or remove NFC hardware on systems where the feature is not required
- Restrict physical access to NFC-enabled devices to minimize adjacent network attack surface
- Implement network segmentation and access controls to limit potential attacker proximity to vulnerable systems
# Configuration example
# Disable NFC kernel modules to mitigate CVE-2026-31629
echo "blacklist nfc" >> /etc/modprobe.d/cve-2026-31629.conf
echo "blacklist nfc_llcp" >> /etc/modprobe.d/cve-2026-31629.conf
echo "install nfc /bin/false" >> /etc/modprobe.d/cve-2026-31629.conf
echo "install nfc_llcp /bin/false" >> /etc/modprobe.d/cve-2026-31629.conf
# Unload modules if currently loaded
modprobe -r nfc_llcp
modprobe -r nfc
# Update initramfs to persist changes
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
