{"id":"CVE-2026-31629","summary":"nfc: llcp: add missing return after LLCP_CLOSED checks","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: add missing return after LLCP_CLOSED checks\n\nIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket\nstate is LLCP_CLOSED, the code correctly calls release_sock() and\nnfc_llcp_sock_put() but fails to return. Execution falls through to\nthe remainder of the function, which calls release_sock() and\nnfc_llcp_sock_put() again. This results in a double release_sock()\nand a refcount underflow via double nfc_llcp_sock_put(), leading to\na use-after-free.\n\nAdd the missing return statements after the LLCP_CLOSED branches\nin both functions to prevent the fall-through.","modified":"2026-06-11T12:29:14.195056644Z","published":"2026-04-24T14:42:49.849Z","related":["CGA-vmvr-93f7-rp3x","SUSE-SU-2026:2310-1","SUSE-SU-2026:2331-1","SUSE-SU-2026:2332-1","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31629.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0eb1263a3b8c36418c9ba295c9ab3abed664edbf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2b5dd4632966c39da6ba74dbc8689b309065e82c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/665315df9c3486cb213fc44d83cc8bcd47fe0d26"},{"type":"WEB","url":"https://git.kernel.org/stable/c/796e0cac058252d0ad34ebe288e6f7979b5fc9b2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8977fad2b3c6eefd414131168d597c5d1d5e1abf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aba4712e8f0381cd5d196534ce2ad082626a5ab6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2a23529593d011fb433a3d711fc597ed6a6bd2f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff3d9e8f7244293e303f7b6ef70774291c7c27e9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31629.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31629"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d646960f7986fefb460a2b062d5ccc8ccfeacc3a"},{"fixed":"b2a23529593d011fb433a3d711fc597ed6a6bd2f"},{"fixed":"665315df9c3486cb213fc44d83cc8bcd47fe0d26"},{"fixed":"9b49e2a4b8219a2fc5cebf94f4ec34e509aff8a6"},{"fixed":"0eb1263a3b8c36418c9ba295c9ab3abed664edbf"},{"fixed":"796e0cac058252d0ad34ebe288e6f7979b5fc9b2"},{"fixed":"8977fad2b3c6eefd414131168d597c5d1d5e1abf"},{"fixed":"ff3d9e8f7244293e303f7b6ef70774291c7c27e9"},{"fixed":"aba4712e8f0381cd5d196534ce2ad082626a5ab6"},{"fixed":"2b5dd4632966c39da6ba74dbc8689b309065e82c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31629.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.3.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31629.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}