{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23339", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:28.073Z", "dateUpdated": "2026-03-25T10:27:28.073Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:28.073Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free skb on nci_transceive early error paths\n\nnci_transceive() takes ownership of the skb passed by the caller,\nbut the -EPROTO, -EINVAL, and -EBUSY error paths return without\nfreeing it.\n\nDue to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes\nthe nci/nci_dev selftest hits the error path occasionally in NIPA,\nand kmemleak detects leaks:\n\nunreferenced object 0xff11000015ce6a40 (size 640):\n comm \"nci_dev\", pid 3954, jiffies 4295441246\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace (crc 7c40cc2a):\n kmem_cache_alloc_node_noprof+0x492/0x630\n __alloc_skb+0x11e/0x5f0\n alloc_skb_with_frags+0xc6/0x8f0\n sock_alloc_send_pskb+0x326/0x3f0\n nfc_alloc_send_skb+0x94/0x1d0\n rawsock_sendmsg+0x162/0x4c0\n do_syscall_64+0x117/0xfc0"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "33f6b8a96dda045789796c3bcb451c74ac158039", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "3245801d44a44c090acefe19a12d22d12cac45c5", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "9d448bbab724b94d6c561e1f314656f5b88a7cb3", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "54f7f0eaafa56b5994cdb5c7967946922c2e1d22", "status": "affected", "versionType": "git"}, {"version": "6a2968aaf50c7a22fced77a5e24aa636281efca8", "lessThan": "7bd4b0c4779f978a6528c9b7937d2ca18e936e2c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/nci/core.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/33f6b8a96dda045789796c3bcb451c74ac158039"}, {"url": "https://git.kernel.org/stable/c/dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89"}, {"url": "https://git.kernel.org/stable/c/3245801d44a44c090acefe19a12d22d12cac45c5"}, {"url": "https://git.kernel.org/stable/c/9d448bbab724b94d6c561e1f314656f5b88a7cb3"}, {"url": "https://git.kernel.org/stable/c/54f7f0eaafa56b5994cdb5c7967946922c2e1d22"}, {"url": "https://git.kernel.org/stable/c/7bd4b0c4779f978a6528c9b7937d2ca18e936e2c"}], "title": "nfc: nci: free skb on nci_transceive early error paths", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free skb on nci_transceive early error paths\n\nnci_transceive() takes ownership of the skb passed by the caller,\nbut the -EPROTO, -EINVAL, and -EBUSY error paths return without\nfreeing it.\n\nDue to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes\nthe nci/nci_dev selftest hits the error path occasionally in NIPA,\nand kmemleak detects leaks:\n\nunreferenced object 0xff11000015ce6a40 (size 640):\n comm \"nci_dev\", pid 3954, jiffies 4295441246\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace (crc 7c40cc2a):\n kmem_cache_alloc_node_noprof+0x492/0x630\n __alloc_skb+0x11e/0x5f0\n alloc_skb_with_frags+0xc6/0x8f0\n sock_alloc_send_pskb+0x326/0x3f0\n nfc_alloc_send_skb+0x94/0x1d0\n rawsock_sendmsg+0x162/0x4c0\n do_syscall_64+0x117/0xfc0"}], "id": "CVE-2026-23339", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:31.670", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3245801d44a44c090acefe19a12d22d12cac45c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/33f6b8a96dda045789796c3bcb451c74ac158039"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/54f7f0eaafa56b5994cdb5c7967946922c2e1d22"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7bd4b0c4779f978a6528c9b7937d2ca18e936e2c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9d448bbab724b94d6c561e1f314656f5b88a7cb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: nfc: nci: free skb on nci_transceive early error paths", "id": "2451268", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451268"}, "csaw": false, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's Near Field Communication (NFC) subsystem. When the `nci_transceive()` function encounters certain error conditions, it fails to properly free allocated kernel memory. This memory leak can accumulate over time, potentially leading to resource exhaustion and affecting system stability."], "name": "CVE-2026-23339", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23339\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23339\nhttps://lore.kernel.org/linux-cve-announce/2026032534-CVE-2026-23339-263f@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T11:39:33.906511+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update package from your distribution that includes the patch for the NCI driver.", "If a kernel update is not immediately available, disable or unload the nci or nci_dev kernel modules to prevent the memory\u2011leak path from executing.", "Continuously monitor kernel logs for kmemleak reports or unexpected memory growth while NFC functionality remains enabled.", "Consider applying a local patch that restores skb freeing on the error paths, or rebuild the kernel with the relevant commit that fixed the issue."], "summary": {"action": "Patch Kernel", "impact": "Kernel Memory Exhaustion via NFC NCI Driver Memory Leak"}, "threat_synthesis": {"affected_systems": "The issue affects systems running the Linux kernel that employ the NFC NCI driver. No specific kernel versions are listed, indicating that all releases incorporating the affected code path are potentially vulnerable until patched. The flaw is present in the core kernel, so it is relevant to any distribution that includes the driver without the applied fix.", "description_and_impact": "The vulnerability resides in the NFC NCI driver of the Linux kernel, where the nci_transceive() function fails to release allocated skbuff objects on multiple early error paths. These unfreed buffers accumulate in kernel memory, potentially exhausting available memory and causing a denial\u2011of\u2011service condition. The flaw is a classic memory\u2011leak scenario governed by the wrong management of kernel\u2011level resources.", "risk_and_exploitability": "Although no CVSS or EPSS scores are provided and the vulnerability is not in the CISA KEV list, the risk of exploitation remains significant for environments that actively use NFC NCI functionality. The likely attack vector involves an attacker sending malformed NFC NCI messages or otherwise triggering the error paths that cause the leak. Because the exploit requires privileged interaction with the kernel driver and persistent traffic to accumulate the leak, it may be less convenient than remote code execution, but it can still lead to kernel memory exhaustion and system instability if left unaddressed."}}}}, "created": "2026-03-25T21:32:15.087445+00:00", "updated": "2026-03-25T21:32:15.087530+00:00", "vendors": [], "weaknesses": ["CWE-401"]}