CVE-2026-31622
Published: 24 April 2026
Summary
CVE-2026-31622 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the buffer overflow in the NFC-A cascade handler by applying kernel patches that add bounds checks to prevent exploitation.
SI-10 mandates validation of information inputs, which mitigates the vulnerability by enforcing bounds checks on peer-controlled cascade tags and incomplete bits in NFC responses to prevent buffer overflows.
SI-16 provides memory protections such as heap safeguards that limit the impact of heap-based buffer overflows even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel heap buffer overflow in NFC subsystem directly enables arbitrary code execution with full system privileges from an unprivileged adjacent attacker, mapping to exploitation for privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number…
more
of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.
Deeper analysisAI
CVE-2026-31622 is a buffer overflow vulnerability in the Linux kernel's NFC digital subsystem, specifically in the NFC-A anti-collision cascade handling within the digital_in_recv_sdd_res() function. The vulnerability arises because the function appends 3 or 4 bytes to the target->nfcid1 field on each cascade round, with the number of rounds and byte lengths controlled entirely by the peer device via the cascade tag in SDD_RES and the cascade-incomplete bit in SEL_RES. Although ISO 14443-3 limits NFC-A to three cascade levels and the nfcid1 buffer is sized to NFC_NFCID1_MAXSIZE (10 bytes), the driver lacks enforcement, allowing a malicious peer to extend the cascade indefinitely and overwrite memory past the heap-allocated nfc_target structure. The issue is scored at CVSS 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-120.
A malicious NFC peer device within adjacent physical proximity (NFC range) can exploit this vulnerability with low complexity, no privileges, and no user interaction required. By manipulating the cascade tags and incomplete bits in responses, the attacker triggers repeated appendages to nfcid1, causing a heap-based buffer overflow. This can lead to high-impact confidentiality, integrity, and availability violations, such as remote code execution, data corruption, or denial of service via kernel crash.
The provided references point to Linux kernel stable branch commit patches that mitigate the issue by adding bounds checks in digital_in_recv_sdd_res() to reject SDD responses when the accumulated UID would exceed the nfcid1 buffer size. These commits (e.g., 1bec5698b55aa2be5c3b983dba657c01d0fd3dbc) align with a prior fix in commit e329e71013c9 for similar unchecked bounds on the NCI path, recommending kernel updates to stable versions incorporating these changes.
Details
- CWE(s)