Home

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-04-27 | Assigner Linux




HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before 0eb1263a3b8c36418c9ba295c9ab3abed664edbf
affected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before 796e0cac058252d0ad34ebe288e6f7979b5fc9b2
affected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before 8977fad2b3c6eefd414131168d597c5d1d5e1abf
affected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before ff3d9e8f7244293e303f7b6ef70774291c7c27e9
affected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before aba4712e8f0381cd5d196534ce2ad082626a5ab6
affected

d646960f7986fefb460a2b062d5ccc8ccfeacc3a (git) before 2b5dd4632966c39da6ba74dbc8689b309065e82c
affected

Default status
affected

3.3
affected

Any version before 3.3
unaffected

6.6.136 (semver)
unaffected

6.12.83 (semver)
unaffected

6.18.24 (semver)
unaffected

6.19.14 (semver)
unaffected

7.0.1 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf

git.kernel.org/...c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2

git.kernel.org/...c/8977fad2b3c6eefd414131168d597c5d1d5e1abf

git.kernel.org/...c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9

git.kernel.org/...c/aba4712e8f0381cd5d196534ce2ad082626a5ab6

git.kernel.org/...c/2b5dd4632966c39da6ba74dbc8689b309065e82c

cve.org (CVE-2026-31629)

nvd.nist.gov (CVE-2026-31629)

Download JSON