{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23167", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.981Z", "datePublished": "2026-02-14T16:01:30.755Z", "dateUpdated": "2026-02-14T16:01:30.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T16:01:30.755Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet's unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev->conn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev->conn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n <TASK>\n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/nfc/nfc.h", "net/nfc/core.c", "net/nfc/nci/core.c"], "versions": [{"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "cd4412d5905ee580e96c48360dc98fcd9e6f3208", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "eaa5da5130deda26420273d4610cf6e4f794ed75", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "546eba0b10989de9ccc7fd619e874a30561e2b88", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "c3369fc5e6120a72169e71acd72e987907a682af", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "d2492688bb9fed6ab6e313682c387ae71a66ebae", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/nfc/nfc.h", "net/nfc/core.c", "net/nfc/nci/core.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.123", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.69", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.9", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.123"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208"}, {"url": "https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75"}, {"url": "https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac"}, {"url": "https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88"}, {"url": "https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5"}, {"url": "https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af"}, {"url": "https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae"}], "title": "nfc: nci: Fix race between rfkill and nci_unregister_device().", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix race between rfkill and nci_unregister_device().\n\nsyzbot reported the splat below [0] without a repro.\n\nIt indicates that struct nci_dev.cmd_wq had been destroyed before\nnci_close_device() was called via rfkill.\n\nnci_dev.cmd_wq is only destroyed in nci_unregister_device(), which\n(I think) was called from virtual_ncidev_close() when syzbot close()d\nan fd of virtual_ncidev.\n\nThe problem is that nci_unregister_device() destroys nci_dev.cmd_wq\nfirst and then calls nfc_unregister_device(), which removes the\ndevice from rfkill by rfkill_unregister().\n\nSo, the device is still visible via rfkill even after nci_dev.cmd_wq\nis destroyed.\n\nLet's unregister the device from rfkill first in nci_unregister_device().\n\nNote that we cannot call nfc_unregister_device() before\nnci_close_device() because\n\n 1) nfc_unregister_device() calls device_del() which frees\n all memory allocated by devm_kzalloc() and linked to\n ndev->conn_info_list\n\n 2) nci_rx_work() could try to queue nci_conn_info to\n ndev->conn_info_list which could be leaked\n\nThus, nfc_unregister_device() is split into two functions so we\ncan remove rfkill interfaces only before nci_close_device().\n\n[0]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349\nWARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349\nModules linked in:\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026\nRIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30\nFS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0\nCall Trace:\n <TASK>\n lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868\n touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940\n __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982\n nci_close_device+0x302/0x630 net/nfc/nci/core.c:567\n nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639\n nfc_dev_down+0x152/0x290 net/nfc/core.c:161\n nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179\n rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346\n rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301\n vfs_write+0x29a/0xb90 fs/read_write.c:684\n ksys_write+0x150/0x270 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa59b39acb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007\nRBP: 00007fa59b408bf7 R08: \n---truncated---"}], "id": "CVE-2026-23167", "lastModified": "2026-02-14T16:15:56.910", "metrics": {}, "published": "2026-02-14T16:15:56.910", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}