CVE-2026-31622

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFC: digital: Bounds check NFC-A cascade depth in SDD response handler<br /> <br /> The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3<br /> or 4 bytes to target-&gt;nfcid1 on each round, but the number of cascade<br /> rounds is controlled entirely by the peer device. The peer sets the<br /> cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the<br /> cascade-incomplete bit in the SEL_RES (deciding whether another round<br /> follows).<br /> <br /> ISO 14443-3 limits NFC-A to three cascade levels and target-&gt;nfcid1 is<br /> sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver<br /> actually enforces this. This means a malicious peer can keep the<br /> cascade running, writing past the heap-allocated nfc_target with each<br /> round.<br /> <br /> Fix this by rejecting the response when the accumulated UID would exceed<br /> the buffer.<br /> <br /> Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")<br /> fixed similar missing checks against the same field on the NCI path.