CVE-2026-23372

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfc: rawsock: cancel tx_work before socket teardown

In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < 9b2d23cd09e1cb56bdf0e4d5614703094159f16caffected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < cdeed45ce8c92defd057f7d67ee9a69374d8fa16affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < 3ae592ed91bb4b6b51df256b51045c13d2656049affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < 722a28b635ec281bb08a23885223526d8e7d6526affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < 78141b8832e16d80d09cbefb4258612db0777a24affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < edc988613def90c5b558e025b1b423f48007be06affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < da4515fc8263c5933ed605e396af91079806dc45affected
LinuxLinux23b7869c0fd08d73c9f83a2db88a13312d6198bb < d793458c45df2aed498d7f74145eab7ee22d25aaaffected
LinuxLinux3.1affected
LinuxLinux0 < 3.1unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References