Linux kernel LLCP double free due to missing return (UAF)
CVE-2026-31629 Published on April 24, 2026
nfc: llcp: add missing return after LLCP_CLOSED checks
In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: add missing return after LLCP_CLOSED checks
In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket
state is LLCP_CLOSED, the code correctly calls release_sock() and
nfc_llcp_sock_put() but fails to return. Execution falls through to
the remainder of the function, which calls release_sock() and
nfc_llcp_sock_put() again. This results in a double release_sock()
and a refcount underflow via double nfc_llcp_sock_put(), leading to
a use-after-free.
Add the missing return statements after the LLCP_CLOSED branches
in both functions to prevent the fall-through.
Products Associated with CVE-2026-31629
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 796e0cac058252d0ad34ebe288e6f7979b5fc9b2 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 8977fad2b3c6eefd414131168d597c5d1d5e1abf is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below ff3d9e8f7244293e303f7b6ef70774291c7c27e9 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below aba4712e8f0381cd5d196534ce2ad082626a5ab6 is affected.
- Version 6.12.83, <= 6.12.* is unaffected.
- Version 6.18.24, <= 6.18.* is unaffected.
- Version 6.19.14, <= 6.19.* is unaffected.
- Version 7.0.1, <= 7.0.* is unaffected.