CVE-2026-31629
Published: 24 April 2026
Summary
CVE-2026-31629 is a high-severity Improper Locking (CWE-667) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through application of upstream kernel patches directly eliminates the use-after-free caused by missing return statements in NFC LLCP functions.
Prohibiting or restricting unnecessary NFC LLCP functionality prevents exposure to the socket state handling vulnerability over the NFC interface.
Enforcing secure configuration settings for the Linux kernel ensures patched states and hardened parameters that mitigate the double release_sock and refcount underflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel UAF in NFC LLCP allows unauthenticated adjacent remote exploitation over NFC protocol, directly enabling T1210 (remote service exploitation) and T1068 (kernel-level privilege escalation to achieve arbitrary code execution).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution…
more
falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading to a use-after-free. Add the missing return statements after the LLCP_CLOSED branches in both functions to prevent the fall-through.
Deeper analysisAI
CVE-2026-31629 is a use-after-free vulnerability in the Linux kernel's NFC LLCP subsystem. Specifically, in the functions nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code calls release_sock() and nfc_llcp_sock_put() but omits a return statement, allowing execution to continue. This results in a double invocation of release_sock() and nfc_llcp_sock_put(), causing a reference count underflow and subsequent use-after-free. The issue affects Linux kernel versions prior to the application of the relevant stable patches.
An adjacent attacker with low complexity and no privileges or user interaction required can exploit this vulnerability over the NFC interface. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences (CVSS 3.1 score of 8.8: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes via the use-after-free.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 0eb1263a3b8c36418c9ba295c9ab3abed664edbf, 2b5dd4632966c39da6ba74dbc8689b309065e82c, 796e0cac058252d0ad34ebe288e6f7979b5fc9b2, 8977fad2b3c6eefd414131168d597c5d1d5e1abf, and aba4712e8f0381cd5d196534ce2ad082626a5ab6. These commits add the missing return statements after the LLCP_CLOSED checks to prevent fall-through and double releases. Security practitioners should ensure NFC LLCP functionality is disabled if not required, pending patch deployment.
Details
- CWE(s)