CVE-2026-23150 - Vulnerability Details

- nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().

syzbot reported various memory leaks related to NFC, struct
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]

The leading log hinted that nfc_llcp_send_ui_frame() failed
to allocate skb due to sock_error(sk) being -ENXIO.

ENXIO is set by nfc_llcp_socket_release() when struct
nfc_llcp_local is destroyed by local_cleanup().

The problem is that there is no synchronisation between
nfc_llcp_send_ui_frame() and local_cleanup(), and skb
could be put into local->tx_queue after it was purged in
local_cleanup():

CPU1 CPU2
---- ----
nfc_llcp_send_ui_frame() local_cleanup()
|- do { '
|- pdu = nfc_alloc_send_skb(..., &err)
| .
| |- nfc_llcp_socket_release(local, false, ENXIO);
| |- skb_queue_purge(&local->tx_queue); |
| ' |
|- skb_queue_tail(&local->tx_queue, pdu); |
... |
|- pdu = nfc_alloc_send_skb(..., &err) |
^._________________________________.'

local_cleanup() is called for struct nfc_llcp_local only
after nfc_llcp_remove_local() unlinks it from llcp_devices.

If we hold local->tx_queue.lock then, we can synchronise
the thread and nfc_llcp_send_ui_frame().

Let's do that and check list_empty(&local->list) before
queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().

[0]:
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff8881272f6800 (size 1024):
comm "syz.0.17", pid 6096, jiffies 4294942766
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc da58d84d):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810fbd9800 (size 240):
comm "syz.0.17", pid 6096, jiffies 4294942850
hex dump (first 32 bytes):
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
backtrace (crc 6cc652b1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/sk
---truncated---

Published: 2026-02-14

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition between the NFC LLCP send_ui_frame routine and the local_cleanup routine allows socket buffers to be queued into a transmission queue after it has been purged, resulting in unreleased memory for skb structures and associated NFC objects. The primary impact is gradual consumption of kernel memory, which could degrade performance or trigger a kernel OOM killer. There is no evidence of direct code execution or data exfiltration from the description.

Affected Systems

The flaw is present in the Linux kernel family in the NFC LLCP driver. All versions up to and including the 6.19 release candidate series (RC1 through RC7) are affected, as indicated by the listed CPE strings and the referenced source code patches. Any system running one of these kernel releases with the NFC driver enabled and operational is vulnerable.

Risk and Exploitability

The EPSS score is less than 1% and the vulnerability is not listed in CISA KEV, indicating a low likelihood of exploitation. The CVSS score of 5.5 reflects moderate overall risk. Based on the description, the likely attack path would require an attacker to trigger repeated calls to send_ui_frame—potentially by sending crafted NFC traffic or invoking user-space APIs that interact with the NFC subsystem—to accelerate memory exhaustion. This could lead to a denial-of-service condition. Attack scenarios remain largely inferred from the race condition details described in the patch notes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< 65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< 6734ff1ac6beba1d0c22dc9a3dc1849b773b511f
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< f8d002626d434f5fea9085e2557711c16a15cec6
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< 3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< 61858cbce6ca4bef9ed116c689a4be9520841339
`94f418a206648c9be6fd84d6681d6956b8f8b106`	affected	< 165c34fb6068ff153e3fc99a932a80a9d5755709

Linux

affected

Version	Status	Constraints
`3.8`	affected	—
`0`	unaffected	< 3.8
`5.10.249`	unaffected	≤ 5.10.*
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.123`	unaffected	≤ 6.6.*
`6.12.69`	unaffected	≤ 6.12.*
`6.18.9`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`[94f418a206648c9be6fd84d6681d6956b8f8b106,ab660cb8e17aa93426d1e821c2cce60e4b9bc56a)`	affected	code_commit	—
`[65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc,61858cbce6ca4bef9ed116c689a4be9520841339)`	affected	code_commit	—
`[6734ff1ac6beba1d0c22dc9a3dc1849b773b511f,f8d002626d434f5fea9085e2557711c16a15cec6)`	affected	code_commit	—
`[f8d002626d434f5fea9085e2557711c16a15cec6,3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5)`	affected	code_commit	—
`[3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5,61858cbce6ca4bef9ed116c689a4be9520841339)`	affected	code_commit	—
`[61858cbce6ca4bef9ed116c689a4be9520841339,165c34fb6068ff153e3fc99a932a80a9d5755709)`	affected	code_commit	—
`[94f418a206648c9be6fd84d6681d6956b8f8b106,165c34fb6068ff153e3fc99a932a80a9d5755709)`	affected	code_commit	—

Linux

Linux Kernel

—

Version	Status	Scheme	Platform
`3.8`	affected	generic	—
`[0,3.8)`	unaffected	semver	—
`[5.10.249,5.10.*]`	unaffected	generic	—
`[5.15.199,5.15.*]`	unaffected	generic	—
`[6.1.162,6.1.*]`	unaffected	generic	—
`[6.6.123,6.6.*]`	unaffected	generic	—
`[6.12.69,6.12.*]`	unaffected	generic	—
`[6.18.9,6.18.*]`	unaffected	generic	—
`[6.19,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Acquire and install the kernel update that fixes the memory‑leak bug in nfc_llcp_send_ui_frame().
If a kernel upgrade cannot be performed immediately, unload or blacklist the NFC LLCP driver to eliminate the vulnerable code path.
Enable kernel logging for NFC activities and monitor kernel memory usage regularly to detect abnormal allocation patterns that could indicate repeated attack attempts.

Generated by OpenCVE AI on April 18, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709
https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5
https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339
https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc
https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f
https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6
https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23150-5706@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23150
https://www.cve.org/CVERecord?id=CVE-2026-23150

History

Tue, 17 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 17 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021414-CVE-2026-23150-5706@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23150 https://www.cve.org/CVERecord?id=CVE-2026-23150

Sat, 14 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set by nfc_llcp_socket_release() when struct nfc_llcp_local is destroyed by local_cleanup(). The problem is that there is no synchronisation between nfc_llcp_send_ui_frame() and local_cleanup(), and skb could be put into local->tx_queue after it was purged in local_cleanup(): CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() \|- do { ' \|- pdu = nfc_alloc_send_skb(..., &err) \| . \| \|- nfc_llcp_socket_release(local, false, ENXIO); \| \|- skb_queue_purge(&local->tx_queue); \| \| ' \| \|- skb_queue_tail(&local->tx_queue, pdu); \| ... \| \|- pdu = nfc_alloc_send_skb(..., &err) \| ^._________________________________.' local_cleanup() is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices. If we hold local->tx_queue.lock then, we can synchronise the thread and nfc_llcp_send_ui_frame(). Let's do that and check list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame(). [0]: [ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk ---truncated---
Title		nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709 https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5 https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339 https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-14T16:01:18.968Z

Updated: 2026-02-14T16:01:18.968Z

Reserved: 2026-01-13T15:37:45.976Z

Link: CVE-2026-23150

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-14T16:15:55.123

Modified: 2026-03-17T21:12:01.620

Link: CVE-2026-23150

Redhat

Severity :

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23150 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object