CVE-2026-23330 - Vulnerability Details

- nfc: nci: complete pending data exchange on device close

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: complete pending data exchange on device close

In nci_close_device(), complete any pending data exchange before
closing. The data exchange callback (e.g.
rawsock_data_exchange_complete) holds a socket reference.

NIPA occasionally hits this leak:

unreferenced object 0xff1100000f435000 (size 2048):
comm "nci_dev", pid 3954, jiffies 4295441245
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc ec2b3c5):
__kmalloc_noprof+0x4db/0x730
sk_prot_alloc.isra.0+0xe4/0x1d0
sk_alloc+0x36/0x760
rawsock_create+0xd1/0x540
nfc_sock_create+0x11f/0x280
__sock_create+0x22d/0x630
__sys_socket+0x115/0x1d0
__x64_sys_socket+0x72/0xd0
do_syscall_64+0x117/0xfc0
entry_SYSCALL_64_after_hwframe+0x4b/0x53

Published: 2026-03-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel routine that closes an NFC device omitted the cleanup of resources tied to pending data exchanges. When a device is closed, an unreferenced memory object—specifically a socket structure held by the data‑exchange callback—is left behind. The accumulation of such leaked objects can consume kernel memory and potentially trigger denial‑of‑service conditions if triggered repeatedly.

Affected Systems

All Linux kernel builds that did not incorporate the commit adding the missing completion call in nci_close_device() are affected. The vulnerability exists in the kernel source before that change, so any distribution shipping the unpatched kernel is vulnerable. The problem is kernel‑level and applies to all vendors that provide the affected kernel release.

Risk and Exploitability

Exploitation requires privileges capable of closing an NFC device, i.e., kernel or driver‑level access. The EPSS score is below 1 % and the vulnerability is not listed in the KEV catalog, suggesting a low probability of active exploitation. Nevertheless, an attacker with sufficient access could repeatedly trigger the leak to exhaust memory, leading to degraded system availability. Updating the kernel removes the flaw entirely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`38f04c6b1b682f1879441e2925403ad9aff9e229`	affected	< 702029337b057085ea13f964822dcd95e0fe53f5
`38f04c6b1b682f1879441e2925403ad9aff9e229`	affected	< 91ff0d8c3464da7f0c43da38c195e60b660128bf
`38f04c6b1b682f1879441e2925403ad9aff9e229`	affected	< d05f55d68ebdebb2b0a8480d766eaae88c8c92de
`38f04c6b1b682f1879441e2925403ad9aff9e229`	affected	< 66083581945bd5b8e99fe49b5aeb83d03f62d053

Linux

affected

Version	Status	Constraints
`3.2`	affected	—
`0`	unaffected	< 3.2
`6.12.82`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[38f04c6b1b682f1879441e2925403ad9aff9e229,91ff0d8c3464da7f0c43da38c195e60b660128bf)`	affected	code_commit	—
`[38f04c6b1b682f1879441e2925403ad9aff9e229,d05f55d68ebdebb2b0a8480d766eaae88c8c92de)`	affected	code_commit	—
`[38f04c6b1b682f1879441e2925403ad9aff9e229,66083581945bd5b8e99fe49b5aeb83d03f62d053)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.2`	affected	generic	—
`[0,3.2)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch for nci_close_device() (the commit referenced in the advisory).
If a direct update is not possible, apply the vendor‑provided backport or patch that restores the proper completion of pending data exchanges before device close.
After updating, verify the kernel version and use memory‑leak detection tools such as NIPA to confirm that no unreferenced objects remain; reboot if any leaks are detected.

Generated by OpenCVE AI on March 26, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/66083581945bd5b8e99fe49b5aeb83d03f62d053
https://git.kernel.org/stable/c/702029337b057085ea13f964822dcd95e0fe53f5
https://git.kernel.org/stable/c/91ff0d8c3464da7f0c43da38c195e60b660128bf
https://git.kernel.org/stable/c/d05f55d68ebdebb2b0a8480d766eaae88c8c92de
https://lore.kernel.org/linux-cve-announce/2026032532-CVE-2026-23330-00fd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23330
https://www.cve.org/CVERecord?id=CVE-2026-23330

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/702029337b057085ea13f964822dcd95e0fe53f5

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-582

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026032532-CVE-2026-23330-00fd@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23330 https://www.cve.org/CVERecord?id=CVE-2026-23330
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-582

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc ec2b3c5): __kmalloc_noprof+0x4db/0x730 sk_prot_alloc.isra.0+0xe4/0x1d0 sk_alloc+0x36/0x760 rawsock_create+0xd1/0x540 nfc_sock_create+0x11f/0x280 __sock_create+0x22d/0x630 __sys_socket+0x115/0x1d0 __x64_sys_socket+0x72/0xd0 do_syscall_64+0x117/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
Title		nfc: nci: complete pending data exchange on device close
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/66083581945bd5b8e99fe49b5aeb83d03f62d053 https://git.kernel.org/stable/c/91ff0d8c3464da7f0c43da38c195e60b660128bf https://git.kernel.org/stable/c/d05f55d68ebdebb2b0a8480d766eaae88c8c92de

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:21.871Z

Updated: 2026-04-18T08:57:58.619Z

Reserved: 2026-01-13T15:37:45.996Z

Link: CVE-2026-23330

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:30.263

Modified: 2026-04-18T09:16:19.023

Link: CVE-2026-23330

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23330 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:49:43Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object