CVE-2026-31660

EUVD-2026-25553

24.04.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: allocate rx skb before consuming bytes

pn532_receive_buf() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already hand
a complete frame to pn533_recv_frame() before allocating a fresh receive
buffer.

If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

References

https://git.kernel.org/stable/c/07cb6c72e66ba548679f22ac29ad588da8999279

https://git.kernel.org/stable/c/16649adc2e19509104245ea1f349b629d858f11f

https://git.kernel.org/stable/c/21ae2cda66a55c759607bbf1d23cbaa42019d2de

https://git.kernel.org/stable/c/2ca64fb7e2d2ae14619dd204d4f2f0a601f421fb

https://git.kernel.org/stable/c/7e37da42eda45d7859d9273fc7e225d8df458038

https://git.kernel.org/stable/c/8b71299d587d9e4c830c18afb884c80ddb30ad28

https://git.kernel.org/stable/c/a9495069b43b8634c1ae0042e888766c34f66637

https://git.kernel.org/stable/c/c71ba669b570c7b3f86ec875be222ea11dacb352