CVE-2026-23372
Received Received - Intake
Use-After-Free in Linux NFC Rawsock Causing Potential Memory Corruption

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23372
EUVD
EUVD-2026-15359
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.1
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 3.1.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's NFC raw socket implementation. Specifically, it involves a race condition in the rawsock_release() function where pending transmission work (tx_work) is not properly canceled before the socket is torn down. The tx_work runs asynchronously and calls nfc_data_exchange, which accesses the NCI device. Without proper synchronization, if a process is killed (for example, by SIGKILL), the tx_work can race with the socket and device teardown, potentially causing use-after-free errors or leaked references.

The fix involves setting a SEND_SHUTDOWN flag to prevent further transmissions if tx_work is already running, then using cancel_work_sync to wait for any ongoing work to finish, and finally purging any remaining queued socket buffers.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions or leaked references in the kernel when the NFC raw socket is closed while transmission work is still pending. Such issues can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or escalate privileges if they can trigger the race condition.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the issue is resolved.

The fix involves canceling any pending tx_work before socket teardown in rawsock_release(), setting SEND_SHUTDOWN to prevent further transmissions, using cancel_work_sync to wait for ongoing work to finish, and purging any remaining queued skbs.

Therefore, applying the latest kernel patches or upgrading the kernel to a fixed version is the immediate step to prevent use-after-free or leaked references related to this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart