CVE-2026-31660

In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: allocate rx skb before consuming bytes

pn532 receive buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv skb and may already hand a complete frame to pn533 recv frame() before allocating a fresh receive buffer.

If that alloc skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv skb as NULL for the next receive callback. That breaks the receive buf() accounting contract and can also lead to a NULL dereference on the next skb put u8().

Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.