CVE-2026-23339
Use-After-Free Memory Leak in Linux Kernel NFC nci_transceive Function
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 3.2 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 3.2.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's NFC (Near Field Communication) subsystem, specifically in the nci_transceive() function. The function takes ownership of a socket buffer (skb) passed by the caller, but in certain error paths (-EPROTO, -EINVAL, and -EBUSY), it returns without freeing the skb. This leads to memory leaks because the allocated skb is not properly released when errors occur.
The issue was detected because the nci/nci_dev selftest occasionally hits these error paths, and tools like kmemleak detect unreferenced memory objects, indicating leaks.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a memory leak in the Linux kernel's NFC subsystem. Over time, if the error paths are frequently triggered, the system could consume increasing amounts of memory, potentially leading to degraded performance or system instability.
While this vulnerability does not directly lead to code execution or privilege escalation, the memory leak could affect system reliability, especially in environments heavily using NFC features.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a memory leak in the Linux kernel's NFC subsystem, specifically in the nci_transceive() function where certain error paths do not free allocated skb buffers.
Detection can be performed by monitoring for memory leaks related to the nci_dev process using kernel memory leak detection tools such as kmemleak.
You can enable and check kmemleak reports with the following commands:
- Enable kmemleak: echo scan > /sys/kernel/debug/kmemleak
- Check for leaks: cat /sys/kernel/debug/kmemleak
Look specifically for unreferenced objects associated with the "nci_dev" process or similar memory leak traces.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved in the Linux kernel by fixing the error paths in nci_transceive() to properly free the skb buffers.
Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.
If updating is not immediately possible, monitoring for memory leaks using kmemleak and limiting the use of NFC features that trigger nci_transceive() may reduce exposure.