High

Heap Out-of-Bounds Write in Linux kernel NFC digital_in_recv_sdd_res()

IdentifiersCVE-2026-31622CWE-787

CVE-2026-31622 is a Linux kernel NFC subsystem vulnerability in the NFC digital stack, specifically in the NFC-A anti-collision SDD response handler digital_in_recv_sdd_res(). During NFC-A anti-collision, the handler appends 3 or 4 bytes to target->nfcid1 on each cascade round. The peer device controls both whether 3 or 4 bytes are appended via the cascade tag in SDD_RES and whether additional cascade rounds continue via the cascade-incomplete bit in SEL_RES. Although ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), the vulnerable code did not enforce this limit. As a result, a malicious NFC peer could force excessive cascade rounds and cause writes past the end of the heap-allocated struct nfc_target buffer, resulting in a heap-based out-of-bounds write. The fix adds bounds checking and rejects responses when the accumulated UID would exceed the target->nfcid1 buffer.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an adjacent malicious NFC peer to corrupt kernel heap memory by writing beyond the bounds of target->nfcid1 within a heap-allocated nfc_target structure. This can lead to kernel memory corruption, system instability, crashes, and denial of service. Because the corruption occurs in kernel context, there is also potential for more serious impact such as controlled memory corruption and possible code execution or privilege compromise, although the provided content does not confirm a demonstrated exploit chain beyond the heap out-of-bounds write.

Mitigation

If you can’t patch tonight, do this now.

Limit exposure of vulnerable systems to untrusted NFC peers until patched. Disable NFC functionality or unload/blacklist the relevant NFC kernel modules where operationally feasible, especially on systems that do not require NFC. Restrict physical proximity access to affected devices, since exploitation requires an adjacent NFC-capable attacker device. These are temporary risk-reduction measures and do not replace patching.

Remediation

Patch, then assume compromise.

Update to a Linux kernel release containing the fix for CVE-2026-31622. The upstream remediation is to enforce bounds checking in digital_in_recv_sdd_res() and reject NFC-A SDD responses when the accumulated UID length would exceed target->nfcid1. Vendor backports are available in multiple SUSE kernel advisories, including SUSE-SU-2026:2195-1 and related updates for SLE, openSUSE, and SUSE Linux Micro product lines.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

bugzilla suseNews

Jun 8, 2026

1263797 - (CVE-2026-31622) VUL-0: CVE-2026-31622: kernel: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

A Linux kernel NFC subsystem heap-based out-of-bounds write vulnerability in the NFC-A anti-collision cascade handling. A malicious peer device can force excessive cascade rounds and cause writes past the heap-allocated nfc_target buffer.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-31622

NVD

nvd.nist.gov/vuln/detail/CVE-2026-31622

MITRE CWE · CWE-787

cwe.mitre.org

Patch

git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc

Patch

git.kernel.org/stable/c/2819f34e08bdffb6f06a51c67948ec5737fb166a

Patch

git.kernel.org/stable/c/46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1

Patch

git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1

Patch

git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba

Patch

git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb

git.kernel.org

git.kernel.org/stable/c/20663102c14566e900e1d2f679e30b7f1694f387

git.kernel.org

git.kernel.org/stable/c/9ba6bb09e00b922d902f684f575779e5433fe6e3

git.kernel.org

git.kernel.org/stable/c/f83b399aa05a0712e3b1569a30d3d90b3533d2ef