CVE-2026-31622

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the NFC-A anti-collision cascade within the digital in recv sdd res() function. The process appends 3 or 4 bytes to target->nfcid1 during each round, but the number of rounds is controlled by the peer device via the cascade tag in the SDD RES and the cascade-incomplete bit in the SEL RES. Although ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is sized for a maximum of 10 bytes (NFC NFCID1 MAXSIZE), the driver does not enforce this limit. A malicious peer can maintain the cascade to write past the heap-allocated nfc target.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.