CVE-2026-31629

HIGH EPSS 12.9%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
12.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-667

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥3.3  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/665315df9c3486cb213fc44d83cc8bcd47fe0d26
  • git.kernel.org https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6
  • git.kernel.org https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b2a23529593d011fb433a3d711fc597ed6a6bd2f
  • git.kernel.org https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9
    Patch