HIGH
nfc NCI Validation Bypass
CVE-2026-43291
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct).
02KernelScan AI Analysis
Risk summary
Local users with low privileges can cause kernel crashes by sending malformed NFC NCI packets. The vulnerability affects systems with NFC hardware where applications can communicate with NFC chips through the NCI protocol. Impact is limited to denial of service through kernel panics.
Vulnerability analysis
The root cause is overly strict parameter validation introduced in commit 9c328f54741b that incorrectly validates variable-length NFC NCI packets against fixed structure sizes using sizeof(struct). This breaks legitimate communication with NFC chips because some NCI packets have variable-length data fields that cannot be validated against maximum structure sizes. The fix replaces rigid sizeof() checks with proper bounds checking using offsetofend() for required fields and validates actual data lengths against the packet's declared length fields. The attack surface is local-only, requiring access to NFC device nodes, typically available to applications with appropriate permissions.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | a24a8a582da4 |
| 6.1 | 6.1.165 | f5218426f765 |
| 6.12 | 6.12.75 | 3b91160e9a91 |
| 6.18 | 6.18.16 | c692db813a7e |
| 6.19 | 6.19.6 | 498fc5d0d650 |
| 6.6 | 6.6.128 | ad058a4317db |
| mainline | 7.0 | 571dcbeb8e63 |