CVE-2026-23150
Unknown Unknown - Not Provided
Memory Leak in Linux Kernel NFC LLCP Component Due to Race Condition

Publication date: 2026-02-14

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set by nfc_llcp_socket_release() when struct nfc_llcp_local is destroyed by local_cleanup(). The problem is that there is no synchronisation between nfc_llcp_send_ui_frame() and local_cleanup(), and skb could be put into local->tx_queue after it was purged in local_cleanup(): CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() |- do { ' |- pdu = nfc_alloc_send_skb(..., &err) | . | |- nfc_llcp_socket_release(local, false, ENXIO); | |- skb_queue_purge(&local->tx_queue); | | ' | |- skb_queue_tail(&local->tx_queue, pdu); | ... | |- pdu = nfc_alloc_send_skb(..., &err) | ^._________________________________.' local_cleanup() is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices. If we hold local->tx_queue.lock then, we can synchronise the thread and nfc_llcp_send_ui_frame(). Let's do that and check list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). [0]: [ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23150
EUVD
EUVD-2026-5886
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 3.8 (inc) to 5.10.249 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.123 (exc)
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.12.69 (exc)
linux linux_kernel 6.19
linux linux_kernel From 6.13 (inc) to 6.18.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a memory leak in the Linux kernel's NFC (Near Field Communication) subsystem, specifically in the function nfc_llcp_send_ui_frame().

The issue arises because there is no synchronization between the function nfc_llcp_send_ui_frame() and the cleanup function local_cleanup(). This lack of synchronization can cause memory buffers (skb) to be added to a queue after that queue has already been purged, leading to memory leaks.

The problem occurs when nfc_llcp_send_ui_frame() tries to allocate memory for sending a frame but fails due to an error set by nfc_llcp_socket_release(), which is called during cleanup. Because the cleanup function purges the transmission queue without proper locking, memory buffers can be lost and not freed properly.

The fix involves adding synchronization by holding a lock on the transmission queue and checking if the local structure is still valid before queuing memory buffers, preventing the memory leak.


How can this vulnerability impact me? :

This vulnerability can lead to memory leaks in the Linux kernel's NFC subsystem.

Memory leaks can cause increased memory usage over time, potentially leading to system instability, degraded performance, or crashes if the leaked memory accumulates significantly.

For systems relying on NFC functionality, this could result in unreliable NFC communication or failures in NFC-related operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves memory leaks related to NFC components in the Linux kernel, specifically in the nfc_llcp_send_ui_frame() function.

Detection can be done by monitoring kernel logs for messages indicating memory leaks or allocation failures related to NFC, such as errors from nfc_llcp_send_ui_frame() or kmemleak reports.

You can check for suspected memory leaks using the kernel's kmemleak interface with the following command:

  • cat /sys/kernel/debug/kmemleak

Additionally, monitoring dmesg or kernel logs for messages like "llcp: nfc_llcp_send_ui_frame: Could not allocate PDU" or "kmemleak: new suspected memory leaks" can help detect the issue.

  • dmesg | grep -i nfc_llcp_send_ui_frame
  • dmesg | grep -i kmemleak

What immediate steps should I take to mitigate this vulnerability?

The vulnerability was fixed by adding proper synchronization between nfc_llcp_send_ui_frame() and local_cleanup() functions to prevent memory leaks.

Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.

If updating is not immediately possible, consider disabling NFC functionality temporarily to avoid triggering the vulnerable code paths.

  • Update your Linux kernel to the latest version that includes the fix for this vulnerability.
  • Disable NFC modules or services until the update can be applied.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart