CVE-2026-31622 | Linux Kernel up to 6.12.82/6.18.23/6.19.13/7.0.0 NFC digital_in_recv_sdd_res heap-based overflow

VDB-359369 · CVE-2026-31622 · GCVE-0-2026-31622 LINUX KERNEL UP TO 6.12.82/6.18.23/6.19.13/7.0.0 NFC DIGITAL_IN_RECV_SDD_RES HEAP-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.6 $5k-$25k 0.00+ Summaryinfo A vulnerability has been found in Linux Kernel up to 6.12.82/6.18.23/6.19.13/7.0.0 and classified as critical. Affected is the function digital_in_recv_sdd_res of the component NFC. The manipulation leads to heap-based overflow. This vulnerability is traded as CVE-2026-31622. There is no exploit available. The affected component should be upgraded. Detailsinfo A vulnerability was found in Linux Kernel up to 6.12.82/6.18.23/6.19.13/7.0.0. It has been rated as critical. This issue affects the function digital_in_recv_sdd_res of the component NFC. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability. The summary by CVE is: In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path. The advisory is shared at git.kernel.org. The identification of this vulnerability is CVE-2026-31622 since 03/09/2026. The exploitation is known to be easy. Technical details are known, but no exploit is available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 04/24/2026). Upgrading to version 6.12.83, 6.18.24, 6.19.14 or 7.0.1 eliminates this vulnerability. Applying the patch 1bec5698b55aa2be5c3b983dba657c01d0fd3dbc/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1/8d9d9bf3565271ca7ab9c716a94e87296177e7ba/cc024a3de265ef6c58957f4990eccb9f806208cb is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Type Operating System Vendor Linux Name Kernel Version 6.12.0 6.12.1 6.12.2 6.12.3 6.12.4 6.12.5 6.12.6 6.12.7 6.12.8 6.12.9 6.12.10 6.12.11 6.12.12 6.12.13 6.12.14 6.12.15 6.12.16 6.12.17 6.12.18 6.12.19 6.12.20 6.12.21 6.12.22 6.12.23 6.12.24 6.12.25 6.12.26 6.12.27 6.12.28 6.12.29 6.12.30 6.12.31 6.12.32 6.12.33 6.12.34 6.12.35 6.12.36 6.12.37 6.12.38 6.12.39 6.12.40 6.12.41 6.12.42 6.12.43 6.12.44 6.12.45 6.12.46 6.12.47 6.12.48 6.12.49 6.12.50 6.12.51 6.12.52 6.12.53 6.12.54 6.12.55 6.12.56 6.12.57 6.12.58 6.12.59 6.12.60 6.12.61 6.12.62 6.12.63 6.12.64 6.12.65 6.12.66 6.12.67 6.12.68 6.12.69 6.12.70 6.12.71 6.12.72 6.12.73 6.12.74 6.12.75 6.12.76 6.12.77 6.12.78 6.12.79 6.12.80 6.12.81 6.12.82 6.18.0 6.18.1 6.18.2 6.18.3 6.18.4 6.18.5 6.18.6 6.18.7 6.18.8 6.18.9 6.18.10 6.18.11 6.18.12 6.18.13 6.18.14 6.18.15 6.18.16 6.18.17 6.18.18 6.18.19 6.18.20 6.18.21 6.18.22 6.18.23 6.19.0 6.19.1 6.19.2 6.19.3 6.19.4 6.19.5 6.19.6 6.19.7 6.19.8 6.19.9 6.19.10 6.19.11 6.19.12 6.19.13 7.0 License open-source Website Vendor: https://www.kernel.org/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 8.0 VulDB Meta Temp Score: 7.6 VulDB Base Score: 8.0 VulDB Temp Score: 7.6 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Heap-based overflow CWE: CWE-122 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Partially Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Kernel 6.12.83/6.18.24/6.19.14/7.0.1 Patch: 1bec5698b55aa2be5c3b983dba657c01d0fd3dbc/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1/8d9d9bf3565271ca7ab9c716a94e87296177e7ba/cc024a3de265ef6c58957f4990eccb9f806208cb Timelineinfo 03/09/2026 CVE reserved 04/24/2026 +45 days Advisory disclosed 04/24/2026 +0 days VulDB entry created 04/24/2026 +0 days VulDB entry last update Sourcesinfo Vendor: kernel.org Advisory: git.kernel.org Status: Confirmed CVE: CVE-2026-31622 (🔒) GCVE (CVE): GCVE-0-2026-31622 GCVE (VulDB): GCVE-100-359369 Entryinfo Created: 04/24/2026 17:43 Changes: 04/24/2026 17:43 (59) Complete: 🔍 Cache ID: 99:331:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸