Linux Kernel nfc pn533 skb Allocation Bug Leaks Null Deref
CVE-2026-31660 Published on April 24, 2026
nfc: pn533: allocate rx skb before consuming bytes
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.
If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().
Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.
Products Associated with CVE-2026-31660
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 8b71299d587d9e4c830c18afb884c80ddb30ad28 is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 16649adc2e19509104245ea1f349b629d858f11f is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 07cb6c72e66ba548679f22ac29ad588da8999279 is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below a9495069b43b8634c1ae0042e888766c34f66637 is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 21ae2cda66a55c759607bbf1d23cbaa42019d2de is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below 7e37da42eda45d7859d9273fc7e225d8df458038 is affected.
- Version c656aa4c27b17a8c70da223ed5ab42145800d6b5 and below c71ba669b570c7b3f86ec875be222ea11dacb352 is affected.
- Version 5.5 is affected.
- Before 5.5 is unaffected.
- Version 5.10.253, <= 5.10.* is unaffected.
- Version 5.15.203, <= 5.15.* is unaffected.
- Version 6.1.169, <= 6.1.* is unaffected.
- Version 6.6.135, <= 6.6.* is unaffected.
- Version 6.12.82, <= 6.12.* is unaffected.
- Version 6.18.23, <= 6.18.* is unaffected.
- Version 6.19.13, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.