HIGH Published 2026-04-24

nfc LLCP Socket UAF

CVE-2026-31629

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI8.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in NFC LLCP processing allows attackers in close physical proximity to cause memory corruption by sending malicious NFC packets. This could lead to system crashes or potentially code execution, but requires the target device to have NFC enabled and be within NFC communication range.

Affectednet/nfc/llcp_core.c

Vulnerability analysis

Root Cause: Missing return statements in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() functions after handling LLCP_CLOSED socket state. When a socket is in LLCP_CLOSED state, the code correctly calls release_sock() and nfc_llcp_sock_put() to release resources, but execution continues to fall through to the end of the function where these same cleanup operations are performed again.

Attack Surface: This vulnerability affects NFC (Near Field Communication) LLCP (Logical Link Control Protocol) packet processing. An attacker would need to send specially crafted NFC LLCP packets to a device with NFC enabled to trigger the vulnerable code paths. The attack requires physical proximity (NFC range) and the ability to send malformed LLCP frames.

Fix Mechanism: The patch adds return statements after the LLCP_CLOSED state handling in both functions. This prevents the double execution of release_sock() and nfc_llcp_sock_put(), eliminating the refcount underflow and subsequent use-after-free condition.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`b2a23529593d`
5.15	5.15.209	`665315df9c34`
6.1	6.1.175	`9b49e2a4b821`
6.12	6.12.83	`796e0cac0582`
6.18	6.18.24	`8977fad2b3c6`
6.19	6.19.14	`ff3d9e8f7244`
6.6	6.6.136	`0eb1263a3b8c`
7.0	7.0.1	`aba4712e8f03`
mainline	7.1-rc1	`2b5dd4632966`