In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: allocate rx skb before consuming bytes
pn532receivebuf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recvskb and may already hand a complete frame to pn533recv_frame() before allocating a fresh receive buffer.
If that allocskb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recvskb as NULL for the next receive callback. That breaks the receivebuf() accounting contract and can also lead to a NULL dereference on the next skbput_u8().
Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31660.json",
"cna_assigner": "Linux"
}