cve-2026-31509

CVE-2026-31509 is a Linux kernel vulnerability in the NFC NCI subsystem, published on April 22, 2026. The bug is a locking-order failure in the close path of nci_close_device, where a workqueue flush is performed while holding req_lock, creating a deadlock risk with nci_rx_work. The upstream fix moves the flush outside the lock to resolve the circular dependency. This is not a memory corruption issue but a stability flaw that could cause system hangs. The tag covers discussions about the vulnerability details, the fix, and implications for Linux systems using NFC.