CVE-2026-43098

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfc: s3fwrn5: allocate rx skb before consuming bytes

s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer.

If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < 20a57de2e79b797ed75382659d52bf4c7d9cb446affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < e4ab0fd1c91882f2a7846b1817781c8741f7f315affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < 7c31f7a599cf00fad3c204092a91a924126c67e4affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < 6d931680a9851481c3243689488eafed08eeff71affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < 09822d3d6f68a0cdc4626e0c507324a4927f55a9affected
LinuxLinux3f52c2cb7e3ada37513dabb69a22cf917dba754f < 5c14a19d5b1645cce1cb1252833d70b23635b632affected
LinuxLinux5.11affected
LinuxLinux0 < 5.11unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References