CVE-2026-23339
Received Received - Intake
Use-After-Free Memory Leak in Linux Kernel NFC nci_transceive Function

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffies 4295441246 hex dump (first 32 bytes): 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace (crc 7c40cc2a): kmem_cache_alloc_node_noprof+0x492/0x630 __alloc_skb+0x11e/0x5f0 alloc_skb_with_frags+0xc6/0x8f0 sock_alloc_send_pskb+0x326/0x3f0 nfc_alloc_send_skb+0x94/0x1d0 rawsock_sendmsg+0x162/0x4c0 do_syscall_64+0x117/0xfc0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23339
EUVD
EUVD-2026-15305
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.2
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 3.2.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's NFC (Near Field Communication) subsystem, specifically in the nci_transceive() function. The function takes ownership of a socket buffer (skb) passed by the caller, but in certain error paths (-EPROTO, -EINVAL, and -EBUSY), it returns without freeing the skb. This leads to memory leaks because the allocated skb is not properly released when errors occur.

The issue was detected because the nci/nci_dev selftest occasionally hits these error paths, and tools like kmemleak detect unreferenced memory objects, indicating leaks.

Impact Analysis

The primary impact of this vulnerability is a memory leak in the Linux kernel's NFC subsystem. Over time, if the error paths are frequently triggered, the system could consume increasing amounts of memory, potentially leading to degraded performance or system instability.

While this vulnerability does not directly lead to code execution or privilege escalation, the memory leak could affect system reliability, especially in environments heavily using NFC features.

Detection Guidance

This vulnerability involves a memory leak in the Linux kernel's NFC subsystem, specifically in the nci_transceive() function where certain error paths do not free allocated skb buffers.

Detection can be performed by monitoring for memory leaks related to the nci_dev process using kernel memory leak detection tools such as kmemleak.

You can enable and check kmemleak reports with the following commands:

  • Enable kmemleak: echo scan > /sys/kernel/debug/kmemleak
  • Check for leaks: cat /sys/kernel/debug/kmemleak

Look specifically for unreferenced objects associated with the "nci_dev" process or similar memory leak traces.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the error paths in nci_transceive() to properly free the skb buffers.

Immediate mitigation steps include updating your Linux kernel to a version that contains this fix.

If updating is not immediately possible, monitoring for memory leaks using kmemleak and limiting the use of NFC features that trigger nci_transceive() may reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart