Description
In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: free skb on nci_transceive early error paths

nci_transceive() takes ownership of the skb passed by the caller,
but the -EPROTO, -EINVAL, and -EBUSY error paths return without
freeing it.

Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes
the nci/nci_dev selftest hits the error path occasionally in NIPA,
and kmemleak detects leaks:

unreferenced object 0xff11000015ce6a40 (size 640):
comm "nci_dev", pid 3954, jiffies 4295441246
hex dump (first 32 bytes):
6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk
6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
backtrace (crc 7c40cc2a):
kmem_cache_alloc_node_noprof+0x492/0x630
__alloc_skb+0x11e/0x5f0
alloc_skb_with_frags+0xc6/0x8f0
sock_alloc_send_pskb+0x326/0x3f0
nfc_alloc_send_skb+0x94/0x1d0
rawsock_sendmsg+0x162/0x4c0
do_syscall_64+0x117/0xfc0
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak (Resource Exhaustion)
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s NFC NCI subsystem contains a flaw where nci_transceive() accepts a socket buffer from the caller and is responsible for freeing it on normal return, but when the function exits due to protocol, input validation, or busy errors it fails to release the buffer. This omission results in unreleased kernel memory, as identified by kmemleak, and exemplifies the CWE-401 and CWE-772 weaknesses. Over time repeated invocations of these error paths can consume system memory, potentially leading to instability or crashes, but do not provide a remote code execution path.

Affected Systems

Any Linux kernel build that incorporates the unpatched NFC NCI driver is affected; all kernel versions prior to the commit that implements the fix are vulnerable. The provided CPE strings indicate that kernels from 3.2 onward, including early release candidates of 7.0, are at risk, meaning many embedded devices and general-purpose systems that enable NFC support could be impacted.

Risk and Exploitability

The EPSS score indicates less than 1% probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited active targeting. Based on the description, the likely attack vector is a local or device‑level attacker sending malformed NFC frames or triggering the NIPA selftest to repeatedly exercise the error paths. While there is no remote code execution capability, persistent memory exhaustion can lead to a denial‑of‑service condition. The CVSS score of 5.5 reflects this moderate severity.

Generated by OpenCVE AI on April 29, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the patch for nci_transceive error handling.
  • Disable the NFC NCI driver (nci_dev) or block access to NFC devices to prevent interaction.
  • Run kmemleak or monitor system memory usage to detect unreleased buffers and identify potential exploitation.

Generated by OpenCVE AI on April 29, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 23 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffies 4295441246 hex dump (first 32 bytes): 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace (crc 7c40cc2a): kmem_cache_alloc_node_noprof+0x492/0x630 __alloc_skb+0x11e/0x5f0 alloc_skb_with_frags+0xc6/0x8f0 sock_alloc_send_pskb+0x326/0x3f0 nfc_alloc_send_skb+0x94/0x1d0 rawsock_sendmsg+0x162/0x4c0 do_syscall_64+0x117/0xfc0
Title nfc: nci: free skb on nci_transceive early error paths
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:02.658Z

Reserved: 2026-01-13T15:37:45.997Z

Link: CVE-2026-23339

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:31.670

Modified: 2026-04-23T21:17:17.730

Link: CVE-2026-23339

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23339 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:45:26Z

Weaknesses