CVE-2026-31509
Received Received - Intake
Circular Locking Dependency in Linux Kernel NFC Component Fixed

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31509
EUVD
EUVD-2026-24889
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.2
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 3.2.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NFC subsystem, specifically in the nci_close_device function. The issue is a circular locking dependency caused by nci_close_device flushing two work queues (rx_wq and tx_wq) while holding a mutex lock (req_lock). Meanwhile, a function running on the rx_wq (nci_rx_work) can also attempt to acquire the same req_lock, creating a circular dependency that can lead to deadlocks.

The fix involves moving the flush of the rx_wq work queue until after the req_lock has been released, preventing the circular locking dependency and potential deadlock.

Impact Analysis

This vulnerability can cause deadlocks in the Linux kernel's NFC subsystem, which may lead to system instability or crashes when using NFC features. Specifically, the circular locking dependency can cause the kernel to hang or become unresponsive during NFC device closure operations.

Mitigation Strategies

The vulnerability is fixed by moving the flush of rx_wq after the req_lock has been released in the Linux kernel NFC nci_close_device function.

To mitigate this vulnerability, update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart