CVE-2026-31622

EUVD-2026-25515
In the Linux kernel, the following vulnerability has been resolved:

NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device.  The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).

ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this.  This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.

Fix this by rejecting the response when the accumulated UID would exceed
the buffer.

Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.13 ≤
𝑥
< 6.6.136
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.83
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.24
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.14
linuxlinux_kernel
7.0 ≤
𝑥
< 7.0.1
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
dlm-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-64kb
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-default-base
suse enterprise server 15 SP6
6.4.0-150600.23.112.1.150600.12.52.1
fixed
kernel-docs
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-macros
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-obs-build
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-source
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-syms
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP6
6.4.0-150600.23.112.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.137.1-1.azl3
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc
https://git.kernel.org/stable/c/20663102c14566e900e1d2f679e30b7f1694f387
https://git.kernel.org/stable/c/2819f34e08bdffb6f06a51c67948ec5737fb166a
https://git.kernel.org/stable/c/46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1
https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1
https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba
https://git.kernel.org/stable/c/9ba6bb09e00b922d902f684f575779e5433fe6e3
https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb
https://git.kernel.org/stable/c/f83b399aa05a0712e3b1569a30d3d90b3533d2ef