CVE-2026-31629
HIGHnfc: llcp: add missing return after LLCP_CLOSED checks
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.
References (9)
Core 9
Core References
Scores
CVSS v3
8.8
EPSS
0.0022
EPSS Percentile
12.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-667
Status
published
Products (26)
Linux/Linux
< 3.3
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 796e0cac058252d0ad34ebe288e6f7979b5fc9b2
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 8977fad2b3c6eefd414131168d597c5d1d5e1abf
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - aba4712e8f0381cd5d196534ce2ad082626a5ab6
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - ff3d9e8f7244293e303f7b6ef70774291c7c27e9
Linux/Linux
3.3
Linux/Linux
5.10.258 - 5.10.*
Linux/Linux
5.15.209 - 5.15.*
Linux/Linux
6.1.175 - 6.1.*
Linux/Linux
6.12.83 - 6.12.*
... and 16 more
Published
Apr 24, 2026
Tracked Since
Apr 24, 2026