CVE-2026-31622 | NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver actually enforces this. This means a malicious peer can keep the cascade running, writing past the heap-allocated nfc_target with each round. Fix this by rejecting the response when the accumulated UID would exceed the buffer. Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays") fixed similar missing checks against the same field on the NCI path.

Published: 2026-04-24 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2026-31622

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2026-31622 is rated Moderate Risk (42.3/100): CVSS High severity, with low exploitation likelihood (EPSS 0.28%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-31622

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.28%	+0.26%
2	2026-04-25	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-31622

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.1	HIGH	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.9	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Weakness enumeration for CVE-2026-31622

CWE-120 MITRE ↗

GitHub Security Advisory for CVE-2026-31622

GHSA-3r85-565g-4jhq · Severity: high — In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check...

OS Trackers for CVE-2026-31622

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-31622 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2.	https://security-tracker.debian.org/tracker/CVE-2026-31622
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2026-31622
`suse`	high	—	https://www.suse.com/security/cve/CVE-2026-31622/
`ubuntu`	medium	CVE-2026-31622 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1048, ignored 173, needed 140, released 83, needs-triage 4, pending 1.	https://ubuntu.com/security/CVE-2026-31622

Affected software / configurations for CVE-2026-31622

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 3.13, < 6.6.136	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.83	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.24	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.14	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 7.0, < 7.0.1	cpe:2.3:o:linux:linux_kernel::::::::

References for CVE-2026-31622

URL	Tags
https://git.kernel.org/stable/c/1bec5698b55aa2be5c3b983dba657c01d0fd3dbc	Patch
https://git.kernel.org/stable/c/20663102c14566e900e1d2f679e30b7f1694f387
https://git.kernel.org/stable/c/2819f34e08bdffb6f06a51c67948ec5737fb166a	Patch
https://git.kernel.org/stable/c/46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1	Patch
https://git.kernel.org/stable/c/5a59bf70c38ee1eb4be03bab830bbc3a6f0bd1f1	Patch
https://git.kernel.org/stable/c/8d9d9bf3565271ca7ab9c716a94e87296177e7ba	Patch
https://git.kernel.org/stable/c/9ba6bb09e00b922d902f684f575779e5433fe6e3
https://git.kernel.org/stable/c/cc024a3de265ef6c58957f4990eccb9f806208cb	Patch
https://git.kernel.org/stable/c/f83b399aa05a0712e3b1569a30d3d90b3533d2ef

cvelogic Threat Intelligence