CVE-2022-26490: 
Linux Kernel vulnerability analysis and mitigation

The vulnerability CVE-2022-26490 affects the Linux kernel through version 5.16.12, specifically in the st21nfca_connectivity_event_received function within drivers/nfc/st21nfca/se.c. The vulnerability was discovered in March 2022 and involves buffer overflow issues in EVT_TRANSACTION events due to untrusted length parameters (NVD, Ubuntu).

The vulnerability stems from buffer overflow issues in the ST21NFCA NFC driver's handling of EVT_TRANSACTION events. The issue occurs because length parameters passed to memcpy come directly from skb->data without proper validation. The vulnerability has been assigned a CVSS score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). A physically proximate attacker could potentially cause a system crash or execute arbitrary code (Ubuntu, NetApp Advisory).

The vulnerability has been fixed in various Linux distributions through security updates. The fix involves adding proper validation checks for the length parameters before performing memory operations. The patch was committed to the Linux kernel with commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221, which adds validation for AID length and parameters length (GitHub Commit).