Navigation section

CVE-2026-31629: Missing return in Linux NFC LLCP can trigger double release UAF

  • Thread Author
CVE-2026-31629 is a small Linux kernel flaw with a familiar lesson: in privileged code, a missing return can become a memory-safety vulnerability. The issue sits in the kernel’s NFC LLCP receive path, where two functions clean up a closed socket but then continue executing and repeat the cleanup. The result is a double release, a reference count underflow, and ultimately a possible use-after-free in code that runs inside the kernel. Although the affected subsystem is niche, the vulnerability deserves attention because it highlights how edge hardware support can still shape real-world Linux security exposure.

Close-up of a black desktop lock mechanism with a red arrow indicating the release point.Overview​

The vulnerability was published on April 24, 2026, with kernel.org listed as the assigning source and with NVD enrichment still pending. That means administrators should not wait for a final NVD score before acting, because the technical cause and upstream fix are already clear. The public description identifies the affected code paths as nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() in the Linux kernel NFC LLCP implementation.
The flaw is not a sweeping protocol failure or a remotely reachable Internet bug in the usual enterprise sense. It is a control-flow error in kernel networking code, triggered when a socket has already moved into the LLCP_CLOSED state. In that branch, the code correctly calls release_sock() and nfc_llcp_sock_put(), but it fails to stop execution afterward.
That missing stop is the heart of the vulnerability. Once execution falls through, the function reaches later cleanup logic that calls the same operations again. In kernel memory-management terms, that means the object lifecycle can be advanced twice even though the code only acquired the relevant reference once.
Historically, Linux kernel NFC has been a smaller corner of the networking stack compared with TCP/IP, Wi-Fi, Bluetooth, or USB. Yet the kernel’s attack surface is not measured only by popularity. Any compiled, reachable, or loadable subsystem that parses external input and manipulates kernel objects can become security-relevant when lifecycle rules are violated.

The Bug in Plain English​

At its simplest, CVE-2026-31629 is a missing-return bug. The vulnerable functions notice that a socket is closed, perform cleanup, and then accidentally continue as if cleanup had not already happened. In ordinary application code, that might cause a crash; in kernel code, it can corrupt object lifetime accounting.
The problematic sequence involves two operations with different but related purposes. release_sock() releases the lock associated with the socket, while nfc_llcp_sock_put() drops a reference to the LLCP socket object. Calling them once is expected; calling them twice on the same control path is not.
The public patch adds exactly what the logic needed: a return after the closed-socket cleanup in both receive handlers. That two-line fix is striking because the vulnerability is not hidden in a large algorithm. It is a reminder that security bugs often live in error paths, early exits, and unusual state transitions.

Why a Two-Line Fix Matters​

A patch that inserts two return statements can look trivial during review, but the effect is substantial. Kernel references are not advisory bookkeeping; they decide when objects remain valid and when memory can be reclaimed. If a reference count drops too far, later code may still hold a pointer to memory that is no longer owned by the object it expects.
Key technical ingredients include:
  • Closed socket state through LLCP_CLOSED
  • Duplicate cleanup through repeated release_sock()
  • Reference count underflow through repeated nfc_llcp_sock_put()
  • Use-after-free risk after object lifetime is mishandled
  • NFC LLCP receive handling as the vulnerable subsystem
This is the sort of bug that automated testing, fuzzing, and careful static review are designed to catch. It also shows why maintainers care deeply about balanced acquire/release patterns in kernel subsystems that may appear peripheral.

NFC LLCP: A Niche Protocol With Kernel Privilege​

NFC, or Near Field Communication, is best known to consumers through contactless payments, pairing workflows, smart cards, access badges, and tap-to-share interactions. In Linux, NFC support includes protocol layers that allow devices to exchange information over very short distances. LLCP, the Logical Link Control Protocol, provides a link-layer abstraction for peer-to-peer NFC communication.
That proximity requirement changes the risk model but does not eliminate risk. Unlike a server listening on a public Internet port, NFC generally requires an attacker to be physically close to the target device or to influence an attached NFC device path. Still, proximity-based attack surfaces matter in laptops, phones, kiosks, embedded controllers, payment terminals, and industrial systems.
Linux’s NFC implementation lives in the kernel because it integrates with networking abstractions and device drivers. That design provides performance and standard interfaces, but it also raises the stakes when parsing or state-management bugs appear. A flaw in user-space NFC tooling is one thing; a flaw in the kernel’s socket handling is another.

Where LLCP Fits​

LLCP is used for peer-to-peer NFC communication, not for every common NFC use case. Many systems with NFC hardware may never exercise the vulnerable functions in normal daily operation. However, vulnerability management cannot assume that unused code is unreachable unless configuration, hardware inventory, and module loading behavior confirm it.
A practical exposure assessment should consider:
  • Whether the system has NFC hardware
  • Whether kernel NFC support is built in or loadable
  • Whether the LLCP subsystem is enabled
  • Whether untrusted users can access NFC-related interfaces
  • Whether the device operates in a public or semi-public physical environment
For WindowsForum readers who run Linux alongside Windows, this distinction matters. A desktop without NFC hardware is probably in a very different risk category from a Linux-based kiosk with an NFC reader attached.

Anatomy of the Use-After-Free​

A use-after-free occurs when code continues using memory after the object that owned it has been released. In modern kernels, that class of bug is dangerous because freed memory can be reallocated for another purpose. If stale pointers later read or write through that old address, the kernel may crash, leak information, or in more severe circumstances allow controlled memory corruption.
In CVE-2026-31629, the immediate public description points to double cleanup after LLCP_CLOSED checks. The first cleanup is intentional because the function has acquired a socket lock and reference before it discovers the closed state. The second cleanup is accidental because the function falls through into later logic.
Reference counting is supposed to answer a simple question: how many active users still need this object? When the answer reaches zero, the object can be destroyed. A double put can make the kernel believe no one needs the object earlier than reality, which is where the use-after-free window opens.

Why Refcount Bugs Are Persistent​

Reference-counting mistakes remain common because they hide in complex control flow. Developers must pair every successful acquisition with exactly one release, including paths for errors, closed states, partial initialization, and concurrent teardown. The more states a protocol has, the easier it becomes to miss one branch.
This vulnerability involves a particularly common pattern:
  • Acquire or look up an object and take a reference.
  • Lock the associated socket or structure.
  • Check whether the object is still in a valid state.
  • Clean up immediately if the state is invalid.
  • Accidentally continue into shared cleanup logic.
That fifth step is where intent and execution diverge. The programmer’s mental model says the function is finished, but the compiler sees no return, so the code keeps running.

The Patch and Stable Backports​

The upstream fix is concise: add missing return statements after the LLCP_CLOSED cleanup branches in both nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(). The patch was submitted to the networking tree, reviewed, accepted, and then propagated into stable review streams. Stable kernel references visible in public records include multiple backport commits, reflecting the usual Linux process of carrying important fixes across supported branches.
The original fixed upstream commit is identified in public patch discussion as 2b5dd4632966, with the issue tied back to the older initial LLCP support commit. That historical link is important because it suggests the vulnerable control-flow pattern may have existed for a long time, even if practical exploitability depends heavily on configuration and reachability. Long-lived bugs in rarely exercised subsystems are a recurring theme in kernel security.
Stable backports are especially important for enterprise Linux users because production deployments often run long-term support kernels rather than the newest mainline release. A fix landing upstream does not automatically mean every distribution kernel is already patched. Distribution vendors still need to import, test, package, and publish the relevant updates.

What Changed in Code​

The code change is conceptually small but semantically decisive. After the function handles a closed socket, it now exits immediately. That prevents the later shared cleanup path from running on the same socket reference.
Administrators and developers should interpret the fix this way:
  • The bug is a control-flow error, not a cryptographic weakness.
  • The patch prevents fall-through after cleanup.
  • The mitigation is to run a kernel containing the corrected LLCP receive handlers.
  • Workarounds may include disabling unused NFC support, but patching remains the clean fix.
  • Backport status depends on the distribution or kernel branch in use.
Because the patch touches only NFC LLCP receive handling, it is unlikely to be disruptive compared with broad networking changes. Even so, kernel updates always require normal reboot planning unless live patching coverage is explicitly available.

Severity Without a Final NVD Score​

As of publication, the NVD record is marked as awaiting enrichment, and no NIST CVSS vector has been assigned. That leaves security teams in the familiar position of triaging a technically clear kernel bug without a final centralized severity label. In practice, the absence of a score should not be mistaken for the absence of risk.
The likely severity depends on several variables. If NFC and LLCP are unavailable, disabled, or not exposed to untrusted interaction, practical risk may be low. If NFC is active on a shared device, public kiosk, testing station, or embedded deployment, the exposure becomes more meaningful.
The public description does not claim active exploitation, and there is no need to inflate the issue into a universal emergency. At the same time, kernel use-after-free is a serious vulnerability class. Even when exploitability is uncertain, memory-safety bugs in privileged code deserve timely remediation.

Reading the Risk Correctly​

A balanced assessment should avoid both extremes. It would be wrong to treat every Linux workstation as immediately exploitable from across the Internet. It would also be wrong to dismiss the vulnerability simply because NFC is short-range and less common than Wi-Fi or Ethernet.
Useful triage questions include:
  • Is NFC support compiled into the running kernel?
  • Are NFC modules loaded on the system?
  • Does the machine have accessible NFC hardware?
  • Can untrusted local users interact with NFC sockets or devices?
  • Is the machine physically exposed to unknown people?
  • Has the distribution already shipped a kernel with the fix?
For many organizations, CVE-2026-31629 will fall into the “patch during the next kernel maintenance window” category. For public-facing embedded devices with NFC, it may deserve faster attention.

Enterprise Impact: Servers, Fleets, and Embedded Linux​

Traditional data-center servers are unlikely to be the main concern unless their kernels include NFC support and local users can trigger the relevant paths. Rack servers typically lack NFC hardware, and many hardened kernel builds omit peripheral subsystems they do not need. That reduces practical exposure, but it does not remove the need for inventory-based verification.
Enterprise fleets are more complicated. Laptops, tablets, point-of-sale systems, badge stations, factory terminals, and custom appliances may include NFC hardware or vendor-specific reader modules. A vulnerability like this becomes relevant wherever Linux acts as the operating system for physical-world interaction.
Embedded Linux deserves special attention because devices often remain deployed for years with conservative kernel branches. They may also expose NFC functionality as a core product feature. In those cases, an obscure kernel subsystem can become a primary attack surface.

Operational Triage for IT Teams​

Security teams should prioritize based on reachability, business role, and update friction. The most exposed systems are not necessarily the most numerous systems. A single public kiosk with an NFC reader may deserve more urgent treatment than a thousand headless servers without NFC hardware.
A practical enterprise workflow looks like this:
  • Identify Linux systems with NFC hardware or NFC modules.
  • Confirm kernel versions and vendor patch status.
  • Review whether LLCP support is enabled.
  • Patch test devices first, focusing on NFC workflows.
  • Roll out kernel updates through standard maintenance rings.
  • Disable NFC support where it is unnecessary.
  • Monitor logs for NFC-related instability after deployment.
This process keeps the response proportional. It avoids panic while still addressing a memory-safety defect in privileged code.

Consumer and Enthusiast Impact​

For most desktop Linux users, the risk depends on whether their machine has NFC hardware and whether the kernel exposes the relevant subsystem. Many consumer desktops will not have NFC at all. Some laptops, development boards, and phones running Linux-derived systems may be different.
Enthusiasts who compile custom kernels should check whether CONFIG_NFC_LLCP or broader NFC support is enabled. If it is enabled only because a distribution default included it, disabling it may reduce unnecessary attack surface. If it is required for a project, updating to a fixed kernel is the better path.
Dual-boot and Windows Subsystem for Linux users should avoid conflating this flaw with a Windows kernel vulnerability. The affected code is Linux kernel NFC LLCP code. The Microsoft listing is significant for tracking and ecosystem awareness, but it does not mean ordinary Windows NFC handling is automatically affected by this Linux kernel bug.

What Home Users Should Do​

Home users do not need an elaborate incident response plan. They need to keep their system updated and understand whether NFC is part of their hardware profile. If they never use NFC, disabling the feature is reasonable.
Helpful actions include:
  • Install the next distribution kernel update when offered.
  • Reboot after updating so the fixed kernel is actually running.
  • Check whether NFC modules are loaded if you are comfortable with Linux administration.
  • Disable NFC in firmware or system settings if it is unused.
  • Avoid experimental NFC tools on unpatched systems.
The key point is simple: patching is likely easier than proving non-exposure. If your distribution ships a fixed kernel, take it.

The Microsoft Angle​

The user-visible source for this CVE appears in Microsoft’s Security Update Guide, which can be confusing at first glance. Microsoft tracks many vulnerabilities that intersect with its ecosystem, including open-source components, Linux-based products, cloud infrastructure, developer tools, and environments where Microsoft distributes or supports non-Windows software. A Microsoft listing does not automatically mean the Windows kernel itself contains the vulnerable Linux NFC code.
This distinction matters for WindowsForum readers. Microsoft now operates across Windows, Azure, Linux, containers, developer platforms, and managed services. Vulnerability tracking has therefore become broader than the old Patch Tuesday mental model of “a Windows DLL gets a KB update.”
For administrators, the practical question is not whether the CVE appears under Microsoft’s umbrella. The practical question is whether any Microsoft-provided or Microsoft-managed Linux environment in your estate carries an affected kernel. That could include specialized appliances, Azure-hosted Linux images, container hosts, or development systems depending on configuration.

Avoiding Misinterpretation​

Security dashboards sometimes flatten nuance. A CVE may appear in a feed, scanner, or vendor portal without clearly indicating whether a specific Windows endpoint is affected. That can lead to wasted remediation effort or, worse, missed exposure in the Linux systems that actually matter.
A useful interpretation framework is:
  • Windows kernel exposure should not be assumed from this CVE alone.
  • Linux kernel exposure should be assessed by kernel version and configuration.
  • Microsoft ecosystem relevance may involve Azure, WSL-related components, or Linux distributions.
  • Scanner findings should be validated against actual installed packages.
  • Patch guidance should follow the operating system vendor responsible for the kernel.
In short, treat the Microsoft listing as a signal to investigate, not as proof that every Microsoft-managed endpoint is vulnerable.

Why Small Kernel Subsystems Keep Producing Big Lessons​

CVE-2026-31629 belongs to a long line of kernel issues found in subsystems that many users never consciously enable. The Linux kernel supports an enormous range of hardware, protocols, filesystems, and legacy interfaces. That breadth is one of Linux’s strengths, but it also creates review and maintenance challenges.
Rarely used code can be harder to test under real-world state transitions. Mainstream networking paths receive constant exercise from millions of systems, while NFC LLCP paths may only run in specialized contexts. Bugs in such areas can persist because the code is correct enough for normal cases but fragile under edge states.
The fix also illustrates the value of security research and automated testing in the kernel community. Tools that exercise odd sequences, closed states, malformed frames, and concurrency windows are essential. Human reviewers are good, but they cannot manually simulate every object-lifetime path in a kernel as large as Linux.

The Maintenance Trade-Off​

Linux maintainers constantly balance feature support against security and maintenance cost. Removing obscure drivers or protocols can break real users. Keeping them requires review, testing, and rapid fixes when vulnerabilities surface.
This vulnerability reinforces several maintenance principles:
  • Dead or unused code still carries security cost.
  • Protocol state machines need aggressive negative testing.
  • Reference counting should be guarded by clear ownership rules.
  • Stable backports are essential for long-lived deployments.
  • Subsystem maintainers need enough review bandwidth for niche areas.
The long-term answer is not simply to remove every uncommon feature. The better answer is to make optional code easier to disable, easier to test, and easier to audit.

Competitive and Ecosystem Implications​

From a competitive standpoint, this CVE is not about Linux losing ground to Windows, macOS, or another platform. Every major operating system has memory-safety bugs in privileged code. The more meaningful comparison is how quickly each ecosystem finds, fixes, backports, and communicates issues.
Linux’s open development model gives defenders unusually direct visibility into patches. The public mailing-list discussion shows the exact change, the review path, and stable backport activity. That transparency helps experienced administrators move before vulnerability databases finish enrichment.
At the same time, transparency can overwhelm less mature teams. A two-line kernel patch may appear in a feed, then in stable review, then in vendor advisories, then in scanner results, each with different wording and timing. Organizations need processes that convert open-source signal into practical risk decisions.

What Rivals Can Learn​

Windows, macOS, BSD, Android, and Linux all wrestle with the same basic problem: kernel code is powerful, old, and complex. The competitive advantage goes to platforms that shorten the time between discovery and safe deployment. That includes not just patch creation, but also packaging, testing, reboot coordination, and fleet visibility.
Key ecosystem lessons include:
  • Fast upstream fixes are only the first step.
  • Clear downstream advisories reduce confusion.
  • Hardware-dependent vulnerabilities need better asset context.
  • Memory-safety work remains central to OS security.
  • Optional components should be easy to inventory and disable.
For enterprises, the winning platform is often the one that makes exposure easiest to prove. In this case, Linux gives strong technical transparency, but administrators still need distribution-specific patch data.

Detection, Mitigation, and Practical Verification​

Detecting exposure to CVE-2026-31629 starts with kernel inventory. The vulnerable code is in the Linux kernel, so application package updates alone are not enough. A system needs a kernel build that includes the relevant upstream or backported fix.
Mitigation can take two forms: patching or reducing reachability. Patching is preferable because it corrects the lifecycle bug. Reducing reachability, such as disabling NFC modules or hardware, can be useful when immediate patching is not possible.
Verification should be cautious because commit hashes differ across stable branches and distribution kernels. A vendor may backport the fix without changing the visible upstream version number in the way a scanner expects. That is why distribution changelogs and package metadata matter.

A Sensible Verification Checklist​

Administrators can use a layered approach rather than relying on one indicator. The goal is to confirm both whether the system could reach the vulnerable path and whether the fix is present.
A practical checklist includes:
  • Confirm the running kernel, not just the installed kernel package.
  • Check whether NFC and LLCP support are enabled.
  • Determine whether NFC hardware is present or exposed.
  • Review vendor advisories for the installed distribution.
  • Validate scanner findings against distribution backports.
  • Reboot systems after kernel updates.
  • Document exceptions where NFC is disabled or absent.
This kind of verification is especially important for long-term support distributions. Backported fixes often preserve older version strings, which can confuse simple version-based checks.

Strengths and Opportunities​

The response to CVE-2026-31629 shows several strengths in the Linux security ecosystem, even though the vulnerability itself is a reminder of how fragile kernel object lifetimes can be. The public trail from patch submission to review and stable backporting gives defenders actionable information before all databases have finished scoring the issue. That is a meaningful advantage for teams that monitor upstream kernel activity.
  • Transparent upstream discussion makes the root cause easy to understand.
  • Minimal patch size reduces the likelihood of regression in unrelated networking code.
  • Stable backport activity helps long-term kernel users receive the fix.
  • Clear technical description supports accurate scanner and advisory mapping.
  • Configuration-dependent exposure allows risk-based prioritization.
  • Niche subsystem focus encourages better inventory of optional kernel features.
  • Memory-safety visibility reinforces investment in fuzzing and static analysis.
The broader opportunity is to use this incident as a prompt for kernel attack-surface reduction. If an organization does not need NFC, it should not carry active NFC functionality by accident.

Risks and Concerns​

The main risk is not that every Linux system is suddenly exposed to a nearby attacker. The more realistic concern is inconsistent understanding across mixed environments. A CVE that mentions Microsoft, Linux, NFC, and kernel use-after-free can easily be misrouted between Windows administrators, Linux teams, cloud engineers, and vulnerability managers.
  • No final NVD score yet may delay prioritization in score-driven programs.
  • Scanner ambiguity may flag systems without proving LLCP reachability.
  • Backport complexity may obscure whether a distribution kernel is fixed.
  • Physical proximity assumptions may lead teams to dismiss public kiosks or embedded devices.
  • Use-after-free impact can be underestimated because the patch is only two lines.
  • Kernel reboot requirements may slow deployment in high-availability environments.
  • Optional subsystem sprawl can leave unnecessary code enabled across fleets.
The most dangerous response would be automated complacency: waiting for a CVSS number, assuming no NFC exists anywhere, and moving on. The better response is targeted validation.

Looking Ahead​

The immediate next step is distribution response. Kernel.org and stable tree activity are only part of the story; enterprises depend on Red Hat, Canonical, SUSE, Debian, Fedora, Arch, Android-derived vendors, embedded suppliers, and cloud image maintainers to ship consumable updates. The timing will vary by branch, support policy, and whether the kernel configuration includes the affected NFC LLCP code.
The second thing to watch is vulnerability enrichment. Once NVD and vendor advisories assign weakness mappings, CVSS vectors, and affected-product metadata, scanner output will become more consistent. Until then, defenders should lean on the technical facts: the flaw is in Linux kernel NFC LLCP receive handling, the consequence is double cleanup leading to use-after-free, and the fix is to return immediately after closed-socket cleanup.
Watch for these developments:
  • Distribution kernel advisories identifying fixed package versions.
  • Scanner plugins improving detection for backported kernels.
  • Vendor clarification on Microsoft-managed Linux environments.
  • Any public proof-of-concept claims or exploitability research.
  • Further NFC LLCP hardening patches following renewed review.
Longer term, CVE-2026-31629 should encourage more systematic testing of protocol teardown paths. State transitions such as connected, disconnecting, and closed are fertile ground for lifecycle bugs. The kernel community has become much better at finding these issues, but the recurrence of reference-counting flaws shows there is more work to do.
CVE-2026-31629 will probably not become the loudest vulnerability of 2026, but it is exactly the kind of flaw that separates mature security programs from checkbox patching. It is narrow, technical, configuration-dependent, and easy to misunderstand, yet it touches the kernel’s most sensitive promise: that object lifetimes are handled exactly once. For WindowsForum readers managing mixed Windows and Linux estates, the lesson is clear: track the Microsoft signal, validate the Linux exposure, patch where NFC LLCP is present, and use the moment to reduce optional kernel attack surface before the next small bug carries a bigger cost.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2026-31622: Linux NFC Kernel Heap Overflow Fix for Windows-Adjacent Fleets
Replies
0
Views
50
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux NFC rawsock CVE-2026-23372: Fixes workqueue race, UAF risk in kernel
Replies
0
Views
47
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux NFC CVE-2026-23330 Fix: Complete In-Flight Exchange on Device Close
Replies
0
Views
47
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2026-31509 Linux NFC Locking Fix: Deadlock Risk in Close Path
Replies
0
Views
89
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Linux NFC SPI NULL Pointer Fix in 6.5.9 (CVE-2023-46343)
Replies
0
Views
32
ChatGPT
ChatGPT
Back
Top