SB20260325163 - Use of Incorrectly-Resolved Name or Reference in Linux kernel nfc pn533 driver
Published: March 25, 2026
Security Bulletin ID
SB20260325163
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-23291)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the NFC pn533 USB driver when handling device disconnection. A local user can disconnect a USB NFC device to cause a dangling reference, leading to a denial of service.
The issue arises because the USB interface reference obtained during driver probe is not properly released upon disconnection.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/00477cab053dc4816b99141d8fcca7a479cfebeb
- https://git.kernel.org/stable/c/12133a483dfa832241fbbf09321109a0ea8a520e
- https://git.kernel.org/stable/c/4551d6cea00224ab65a0ef35e4e6da0e9c0a2d74
- https://git.kernel.org/stable/c/7398d6570501edc55a50ece820f369ab3c1df2e7
- https://git.kernel.org/stable/c/7ff14eb070f0efecb2606f8d7aa01b77d188e886
- https://git.kernel.org/stable/c/d1f6d20b3c2642ec85ce6ea5da7155746c31c6d0