{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31509", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.106Z", "datePublished": "2026-04-22T13:54:27.436Z", "dateUpdated": "2026-04-22T13:54:27.436Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:27.436Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "7ed00a3edc8597fe2333f524401e2889aa1b5edf", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "5eef9ebec7f5738f12cadede3545c05b34bf5ac3", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "ca54e904a071aa65ef3ad46ba42d51aaac6b73b4", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "eb435d150ca74b4d40f77f1a2266f3636ed64a79", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "d89b74bf08f067b55c03d7f999ba0a0e73177eb3", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "09143c0e8f3b03517e6233aad42f45c794d8df8e", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "4527025d440ce84bf56e75ce1df2e84cb8178616", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"}, {"url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"}, {"url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"}, {"url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"}, {"url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"}, {"url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"}, {"url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"}, {"url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"}], "title": "nfc: nci: fix circular locking dependency in nci_close_device", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix circular locking dependency in nci_close_device\n\nnci_close_device() flushes rx_wq and tx_wq while holding req_lock.\nThis causes a circular locking dependency because nci_rx_work()\nrunning on rx_wq can end up taking req_lock too:\n\n nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete\n -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target\n -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock)\n\nMove the flush of rx_wq after req_lock has been released.\nThis should safe (I think) because NCI_UP has already been cleared\nand the transport is closed, so the work will see it and return\n-ENETDOWN.\n\nNIPA has been hitting this running the nci selftest with a debug\nkernel on roughly 4% of the runs."}], "id": "CVE-2026-31509", "lastModified": "2026-04-22T14:16:49.947", "metrics": {}, "published": "2026-04-22T14:16:49.947", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,7ed00a3edc8597fe2333f524401e2889aa1b5edf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,5eef9ebec7f5738f12cadede3545c05b34bf5ac3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,ca54e904a071aa65ef3ad46ba42d51aaac6b73b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,eb435d150ca74b4d40f77f1a2266f3636ed64a79)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,d89b74bf08f067b55c03d7f999ba0a0e73177eb3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,09143c0e8f3b03517e6233aad42f45c794d8df8e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[6a2968aaf50c7a22fced77a5e24aa636281efca8,4527025d440ce84bf56e75ce1df2e84cb8178616)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T18:42:00.455791+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that moves the rx_wq flush after the request lock release, as referenced in the kernel commit logs (see the provided Git URLs).", "If a patched kernel is not immediately available, temporarily disable the NFC NCI module or prevent NFC device usage until the patch can be applied. This reduces the attack surface by removing the code path that can deadlock.", "After applying the patch or disabling the module, run comprehensive NCI self\u2011tests to confirm that no deadlock occurs and that other NFC functionality remains intact."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via deadlock"}, "threat_synthesis": {"affected_systems": "All publicly available Linux kernel builds that include the NFC NCI subsystem prior to the patched code contain this flaw. No specific versions are listed, but the CPE indicates that every Linux kernel is potentially affected. Users of distributions shipping default kernels should verify that their kernel includes the patch that moves the rx queue flush after the request lock is released.", "description_and_impact": "The vulnerability arises from a circular locking dependency in the Linux kernel\u2019s NFC NCI subsystem. While closing an NCI device, the code flushes both the rx and tx work queues while still holding the request lock. A worker triggered on the rx queue can simultaneously acquire the request lock, creating a deadlock scenario. An attacker or misbehaving NFC device could trigger this code path, resulting in the kernel hanging or timing out, effectively denying service to NFC operations.", "risk_and_exploitability": "The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting a modest but non-negligible exploitation probability. The attack vector is likely local or device\u2011based; a compromised NFC device or user with permissions to load NFC drivers could force the deadlock. Once triggered, the system may become unresponsive until rebooted. Given the critical nature of kernel deadlocks, the risk to availability is high and immediate mitigation is recommended."}}}}, "created": "2026-04-22T18:15:15.248525+00:00", "updated": "2026-04-22T18:45:24.011848+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-362"]}