CVE-2026-46267

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfc: hci: shdlc: Stop timers and work before freeing context

llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6eaffected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < a24a676329d40481b2331bfa1418a679577dfd3aaffected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < 77eef9f2eef045c3c37a3df82d3e661afb866b98affected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < cf70cedce327833296ebe6043364d1e44b76a2abaffected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < 276820278e9717cc7d4bb32381892dd3ddf418d4affected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < 1cb97b1225450af3f7b728777929ba50c6a58cedaffected
LinuxLinux4a61cd6687fc6348d08724676d34e38160d6cf9b < c9efde1e537baed7648a94022b43836a348a074faffected
LinuxLinux3.7affected
LinuxLinux0 < 3.7unaffected
LinuxLinux5.15.202 <= 5.15.*unaffected
LinuxLinux6.1.165 <= 6.1.*unaffected
LinuxLinux6.6.128 <= 6.6.*unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.14 <= 6.18.*unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References