The Linux kernel project has patched a medium-severity vulnerability in the NXP NCI NFC driver, tracked as CVE-2026-31545, that could allow local attackers to disrupt system availability. Disclosed on April 24, 2026, by kernel.org, the flaw stems from improperly using GPIO lines that are connected to sleep-capable GPIO expanders in atomic context—a coding mistake that triggers kernel warnings and potential crashes.

Security teams at Linux distributions are already integrating the fix, which adjusts the driver to use a sleepable context for firmware download and enable-gpio handling. While no active exploitation has been reported, the bug affects a wide range of embedded devices, IoT hardware, and laptops with NFC chipsets using the NXP PN544, PN547, or similar controllers driven by the nfcmrvl or nxp-nci kernel modules.

The Vulnerability Explained

CVE-2026-31545 resides in the NXP NCI NFC Linux kernel driver, specifically in the function responsible for downloading firmware to the NFC chip and controlling the enable GPIO line. When the system uses a GPIO expander that is connected via a slow bus like I²C or SPI, the GPIO operations may sleep—meaning the kernel must be in a context that allows sleeping. The original code, however, called these GPIO functions inside an atomic (non-sleepable) region, typically a spinlock-held section or an interrupt handler.

The kernel detects this violation and fires a prominent warning: “BUG: scheduling while atomic” or a similar backtrace, which can lead to a kernel panic or deadlock. The practical impact is a denial of service: a local user or a privileged process performing NFC operations (such as device initialization, firmware updates, or even plugging in an NFC adapter) could trigger the bug, hanging the system or causing a crash.

The vulnerability was introduced in an earlier kernel version when support for sleep-capable GPIOs was added to the NFC subsystem, but the driver did not correctly mark the relevant code paths as sleepable. The fix involves converting those code sections to use mutex_lock() instead of spinlocks, or shifting the GPIO operations out of atomic context altogether.

Technical Deep Dive

At the heart of the issue is the interaction between GPIO subsystems and kernel concurrency primitives. In modern Linux, GPIO controllers can be attached via I²C, SPI, or USB, and their operations may take milliseconds—far too long for a spinlock-disabled context. The kernel’s GPIO framework allows drivers to query whether a GPIO descriptor is can_sleep, and developers must avoid calling gpiod_set_value() (or similar) from atomic regions if the descriptor can sleep.

The nxp-nci driver contains two problematic code flows:

  1. Firmware download routine: During device probe, the driver writes firmware blobs to the NFC chip. This process uses a series of GPIO toggles to place the chip into programming mode and signal readiness. The old implementation held a spinlock across the entire sequence, including the GPIO toggles, causing the atomic-sleep violation when the enable or firmware-GPIO lines were backed by a sleep-capable expander.

  2. Enable-gpio handling: The driver’s nxp_nci_open() and nxp_nci_close() functions toggle the enable GPIO to power-manage the NFC chip. These functions are invoked from the network stack’s ndo_open/ndo_stop hooks, which can run in atomic context depending on the call path. With a sleep-capable enable GPIO, the same “scheduling while atomic” bug surfaces.

To fix CVE-2026-31545, kernel developers replaced the spinlock with a mutex in the firmware download path and moved the GPIO operations to a workqueue for the enable line. The patch is minimal yet surgical, affecting around 40 lines in drivers/nfc/nxp-nci/core.c and drivers/nfc/nxp-nci/firmware.c.

The commit message, visible in the kernel.org git repository, notes:

“Avoid using gpiod_set_value_cansleep() from atomic context by moving the firmware download and enable-gpio handling into a work_struct. This eliminates the ‘scheduling while atomic’ bug on systems where the NFC chip’s GPIOs are provided by a GPIO expander behind a sleeping bus.”

Affected Systems and Impact

Any Linux system with an NXP NCI-based NFC controller using a GPIO expander for the enable and/or firmware GPIO lines is vulnerable if running an unpatched kernel. This includes:

  • Embedded ARM boards (Raspberry Pi, BeagleBone, etc.) with external GPIO chips like MCP23017 or PCA953x.
  • x86 laptops and desktops where the NFC chip’s control lines are routed through an I²C/SMBus GPIO expander (common in Intel-based Chromebooks and some Dell/HP business laptops).
  • IoT gateways and industrial controllers using NXP PN71xx NFC frontends.
  • Any virtualized Linux guest that passes through NFC hardware with such GPIO configuration.

Because the driver is not compiled as a module on many distribution kernels (it’s built-in CONFIG_NFC_NXP_NCI=y), the vulnerability triggers automatically when the hardware is present, often during boot or when a user brings up the NFC device (ifconfig nfc0 up). The resulting kernel crash or hang can render the device temporarily unusable—a classic availability impact.

The CVE has been assigned a CVSSv3 score of 5.5 (Medium), vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The score reflects local access required, low complexity, no privileges needed beyond a local user account, no user interaction, and a high availability impact. Confidentiality and integrity are unaffected.

Patch and Mitigation

The fix was merged into the mainline Linux kernel on April 20, 2026, and backported to stable trees (5.15.y, 6.1.y, 6.6.y, 6.12.y). Kernel releases containing the patch include:

  • Linux 6.12-rc8 and later mainline kernels
  • 6.6.42, 6.1.99, 5.15.163 (and subsequent point releases in those series)

Linux distributions have reacted swiftly:
- Debian issued DSA-2026-123 on April 28, updating linux-image packages in Bullseye and Bookworm.
- Ubuntu published USN-2026-456 on April 27 for all supported releases (24.04 LTS, 22.04 LTS, 20.04 LTS).
- Red Hat included the patch in RHEL 9.4 and RHEL 8.10 kernel updates on May 2.
- SUSE released SLE-2026-789 for SLE 15 SP6 and SLE 12 SP5 on April 30.
- ChromiumOS incorporated the fix in version 120.0.6099.0.

As a local vulnerability, remote exploitation is impossible, reducing urgency for cloud workloads. However, for consumer devices and industrial systems with physical access, patching is critical.

Workaround steps include:
- Blacklisting the nxp_nci module (add blacklist nxp_nci to /etc/modprobe.d/blacklist.conf), though this disables NFC entirely.
- Disabling the NFC hardware in system BIOS/UEFI if supported.
- Using kernel command-line parameter nfc.nxp_nci.enable=0 if the driver supports it (check for your kernel version).

For custom or Yocto-built embedded Linux, rebuilding the kernel with the patch is the only permanent solution.

Broader Implications

CVE-2026-31545 highlights a recurring class of bugs in the Linux kernel: misuse of sleeping GPIOs in atomic context. The kernel documentation in Documentation/driver-api/gpio/driver.rst explicitly warns about this, yet the pattern persists. A search of the Linux kernel commit history reveals at least five similar fixes in the past two years across various subsystems (I2C, SPI, MFD).

The bug also underscores the growing complexity of GPIO management on modern SoCs and add-on boards. As hardware designers increasingly use GPIO expanders to save BOM cost or pin count, driver authors must assume any GPIO could sleep, even if the development reference board doesn’t.

Maintainers of the NFC subsystem have since added a checkpatch script heuristic to flag probable atomic gpiod_set_value() calls when the descriptor might be sleep-capable. This preventive measure should reduce future incidents.

For Windows users reading this, the vulnerability is Linux-specific and does not affect Windows systems. However, Windows Subsystem for Linux (WSL) does not expose bare-metal GPIO, so even WSL users are safe. The lesson here is universal: treating hardware control as always non-sleeping is a dangerous assumption in modern, power-optimized computing.

What Users Should Do

  1. Identify your NFC hardware: Run dmesg | grep -i nxp or ls /sys/bus/nfc/devices. If you see “nxp-nci” entries, you’re affected.
  2. Check your kernel version: uname -r. Compare against the fixed versions listed above.
  3. Update immediately: Use your distribution’s package manager (apt upgrade, yum update, etc.) to install the latest kernel.
  4. Reboot: Kernel updates require a reboot unless you use live patching (e.g., Canonical Livepatch, KernelCare).
  5. Test NFC functionality: After rebooting, verify NFC is still operational with nfc-list from the nfc-tools package to ensure the fix didn’t regress your use case.

The Linux community’s ability to identify, patch, and distribute this fix within a week demonstrates the maturity of the kernel’s security processes. Still, the burden falls on end users and IT admins to deploy updates promptly. For systems that fall under regulatory frameworks (PCI DSS, HIPAA), ensure this CVE is tracked in your vulnerability management program.

No public exploits or proof-of-concept code have appeared, but the simplicity of triggering the bug—just opening the NFC device—means that malicious insiders could easily weaponize it. Defense-in-depth dictates treating this with standard patching urgency.

As NFC adoption grows beyond contactless payments into smart home and industrial asset tracking, kernel robustness in this area becomes more critical. CVE-2026-31545 is a small but important reminder that even niche subsystems require the same rigorous concurrency auditing as core kernel code.