U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-31509 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/09143c0e8f3b03517e6233aad42f45c794d8df8e kernel.org Patch 
https://git.kernel.org/stable/c/1edc12d2bbcb7a8d0f1088e6fccb9d8c01bb1289 kernel.org Patch 
https://git.kernel.org/stable/c/4527025d440ce84bf56e75ce1df2e84cb8178616 kernel.org Patch 
https://git.kernel.org/stable/c/5eef9ebec7f5738f12cadede3545c05b34bf5ac3 kernel.org Patch 
https://git.kernel.org/stable/c/7ed00a3edc8597fe2333f524401e2889aa1b5edf kernel.org Patch 
https://git.kernel.org/stable/c/ca54e904a071aa65ef3ad46ba42d51aaac6b73b4 kernel.org Patch 
https://git.kernel.org/stable/c/d89b74bf08f067b55c03d7f999ba0a0e73177eb3 kernel.org Patch 
https://git.kernel.org/stable/c/eb435d150ca74b4d40f77f1a2266f3636ed64a79 kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-667 Improper Locking cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-31509
NVD Published Date:
04/22/2026
NVD Last Modified:
04/28/2026
Source:
kernel.org