CVE-2026-31660 Overview
CVE-2026-31660 is a medium-severity flaw in the Linux kernel's NFC pn533 driver. The pn532_receive_buf() function consumes bytes into recv_skb and may hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer. When the subsequent alloc_skb() call fails, the callback returns 0 despite having already consumed bytes, leaving recv_skb set to NULL for the next receive callback. This breaks the receive_buf() accounting contract and can trigger a NULL pointer dereference on the next skb_put_u8() call. The result is a local denial-of-service condition on systems using PN532-based NFC hardware over serdev.
Critical Impact
A local attacker with low privileges on a system using the affected NFC driver can trigger a NULL pointer dereference, leading to a kernel crash and denial of service.
Affected Products
- Linux Kernel (multiple stable branches affected; see kernel.org commits)
- Linux Kernel 5.5 release
- Linux Kernel 7.0 release candidates (rc1 through rc7)
Discovery Timeline
- 2026-04-24 - CVE-2026-31660 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31660
Vulnerability Analysis
The defect resides in the pn532_receive_buf() callback within the kernel's nfc/pn533 driver. This callback is registered with the serial device (serdev) core and is invoked when bytes arrive from the PN532 NFC controller over a UART transport. The serdev contract requires the callback to return the exact number of bytes it accepted from the supplied buffer.
In the vulnerable implementation, the callback consumes incoming bytes into the receive socket buffer (recv_skb) and may forward a completed frame to pn533_recv_frame(). After dispatching the frame, the code attempts to allocate a fresh recv_skb for the next incoming frame. If alloc_skb() returns NULL under memory pressure, the function returns 0 despite having already consumed bytes from the serdev buffer.
Root Cause
Two defects compound here. First, the function violates the serdev receive_buf() accounting contract by returning 0 after bytes have already been consumed. Second, leaving recv_skb as NULL causes the next invocation of the callback to dereference a NULL pointer when it calls skb_put_u8() to append the next byte. The fix allocates the receive skb lazily, immediately before consuming the next byte, and returns the count of already-accepted bytes if allocation fails.
Attack Vector
Exploitation requires local access with low privileges on a system that has the pn533 driver loaded and a PN532 NFC device connected via serdev. An attacker who can induce kernel memory pressure while NFC traffic is being processed can race the alloc_skb() failure path. Successful triggering produces a NULL dereference in soft-interrupt context, crashing the kernel. The flaw cannot be reached remotely and does not leak data or escalate privileges.
No public proof-of-concept is available and the EPSS score remains very low, reflecting limited exploitation appeal for a local DoS in a niche driver.
Detection Methods for CVE-2026-31660
Indicators of Compromise
- Kernel oops or panic messages referencing pn533_recv_frame, pn532_receive_buf, or skb_put_u8 in dmesg output.
- Unexpected reboots or hangs on systems with PN532 NFC hardware attached via UART/serdev.
- Memory allocation failure messages (page allocation failure) preceding NFC subsystem faults.
Detection Strategies
- Inventory hosts with the pn533_uart or pn533 modules loaded using lsmod and centralized configuration management telemetry.
- Correlate kernel crash dumps and kdump artifacts against the affected commit hashes listed in the kernel.org references.
- Compare running kernel versions against the patched stable release lines to identify unpatched assets.
Monitoring Recommendations
- Forward kernel ring buffer (/dev/kmsg) and journald logs to a centralized log platform and alert on BUG:, Oops:, and NFC-tagged kernel messages.
- Track module load events for pn533 on production hosts where NFC functionality is not required.
- Monitor kernel patch state across the fleet to ensure the fix is deployed on all affected stable branches.
How to Mitigate CVE-2026-31660
Immediate Actions Required
- Apply the upstream kernel patches referenced by commit 07cb6c72e66b, 16649adc2e19, 21ae2cda66a5, 2ca64fb7e2d2, 7e37da42eda4, 8b71299d587d, a9495069b43b, and c71ba669b570 from the Linux stable tree.
- Reboot affected systems after kernel updates to load the fixed driver.
- Where NFC is not required, blacklist the pn533 and pn533_uart modules to remove the attack surface entirely.
Patch Information
The upstream fix allocates the receive skb lazily before consuming the next byte. If allocation fails, the callback now returns the number of bytes already accepted, preserving the serdev accounting contract and eliminating the NULL dereference. The patches are merged into multiple Linux stable branches; consult the kernel.org commit references and apply the version corresponding to your distribution kernel.
Workarounds
- Unload the affected driver with modprobe -r pn533_uart pn533 on systems that do not require NFC.
- Add pn533 and pn533_uart to /etc/modprobe.d/blacklist.conf to prevent automatic loading at boot.
- Restrict physical and local access on systems where NFC hardware must remain operational until patching is complete.
# Blacklist the affected modules until the kernel is patched
echo 'blacklist pn533' | sudo tee /etc/modprobe.d/disable-pn533.conf
echo 'blacklist pn533_uart' | sudo tee -a /etc/modprobe.d/disable-pn533.conf
sudo modprobe -r pn533_uart pn533
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
