GHSA-3R85-565G-4JHQ
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-24 15:32In the Linux kernel, the following vulnerability has been resolved:
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows).
ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round.
Fix this by rejecting the response when the accumulated UID would exceed the buffer.
Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.
{
"affected": [],
"aliases": [
"CVE-2026-31622"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:41Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: digital: Bounds check NFC-A cascade depth in SDD response handler\n\nThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3\nor 4 bytes to target-\u003enfcid1 on each round, but the number of cascade\nrounds is controlled entirely by the peer device. The peer sets the\ncascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the\ncascade-incomplete bit in the SEL_RES (deciding whether another round\nfollows).\n\nISO 14443-3 limits NFC-A to three cascade levels and target-\u003enfcid1 is\nsized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver\nactually enforces this. This means a malicious peer can keep the\ncascade running, writing past the heap-allocated nfc_target with each\nround.\n\nFix this by rejecting the response when the accumulated UID would exceed\nthe buffer.\n\nCommit e329e71013c9 (\"NFC: nci: Bounds check struct nfc_target arrays\")\nfixed similar missing checks against the same field on the NCI path.",
"id": "GHSA-3r85-565g-4jhq",
"modified": "2026-04-24T15:32:35Z",
"published": "2026-04-24T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31622"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.