HIGH Published 2026-04-24

nfc Digital Cascade Overflow

CVE-2026-31622

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI8.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious NFC device in close proximity can cause a heap buffer overflow by sending excessive cascade rounds during NFC-A anti-collision, potentially leading to memory corruption, denial of service, or code execution. The attack requires physical access to within NFC communication range but no system privileges.

Affectednet/nfc/digital_technology.c

Vulnerability analysis

Root Cause: The NFC-A anti-collision cascade handler in digital_in_recv_sdd_res() appends 3-4 bytes to target->nfcid1 on each cascade round without bounds checking. The number of cascade rounds is controlled entirely by the peer NFC device through cascade tags and cascade-incomplete bits. While ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), the driver did not enforce this limit.

Attack Surface: This vulnerability requires physical proximity for NFC communication. An attacker needs a malicious NFC device that can send crafted SDD_RES responses with excessive cascade rounds. The attack is local/adjacent network (NFC range ~4cm) and requires no special privileges on the target system.

Fix Mechanism: The patch adds a bounds check before copying data to target->nfcid1. It verifies that target->nfcid1_len + size does not exceed NFC_NFCID1_MAXSIZE (10 bytes). If the check fails, it returns -EPROTO error and exits the function, preventing the buffer overflow.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`9ba6bb09e00b`
5.15	5.15.209	`f83b399aa05a`
6.1	6.1.175	`20663102c145`
6.12	6.12.83	`1bec5698b55a`
6.18	6.18.24	`5a59bf70c38e`
6.19	6.19.14	`8d9d9bf35652`
6.6	6.6.136	`2819f34e08bd`
7.0	7.0.1	`cc024a3de265`
mainline	7.1-rc1	`46ce8be2ced3`