CVE-2026-23372 - Vulnerability Details

- nfc: rawsock: cancel tx_work before socket teardown

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: rawsock: cancel tx_work before socket teardown

In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.

Published: 2026-03-25

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition exists in the Linux kernel’s NFC raw socket implementation where pending transmission work can access the NCI device after the socket and device have been torn down. The kernel may dereference freed memory, leading to a use‑after‑free fault that can crash the system or allow an attacker to execute arbitrary code. The weakness is identified by CWE‑364.

Affected Systems

The flaw is present in the Linux kernel whenever the NFC raw socket code path is compiled. No specific kernel versions are listed in the advisory, so any build that includes this code is potentially affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score of less than 1 % suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to open a raw NFC socket locally and then terminate the owning process (e.g., by sending SIGKILL) to trigger the race. The lack of a known exploit and the local nature of the required actions reduce immediate risk, but the impact of a kernel fault warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< 9b2d23cd09e1cb56bdf0e4d5614703094159f16c
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< cdeed45ce8c92defd057f7d67ee9a69374d8fa16
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< 3ae592ed91bb4b6b51df256b51045c13d2656049
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< 722a28b635ec281bb08a23885223526d8e7d6526
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< 78141b8832e16d80d09cbefb4258612db0777a24
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< edc988613def90c5b558e025b1b423f48007be06
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< da4515fc8263c5933ed605e396af91079806dc45
`23b7869c0fd08d73c9f83a2db88a13312d6198bb`	affected	< d793458c45df2aed498d7f74145eab7ee22d25aa

Linux

affected

Version	Status	Constraints
`3.1`	affected	—
`0`	unaffected	< 3.1
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,3ae592ed91bb4b6b51df256b51045c13d2656049)`	affected	code_commit	—
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,722a28b635ec281bb08a23885223526d8e7d6526)`	affected	code_commit	—
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,78141b8832e16d80d09cbefb4258612db0777a24)`	affected	code_commit	—
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,edc988613def90c5b558e025b1b423f48007be06)`	affected	code_commit	—
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,da4515fc8263c5933ed605e396af91079806dc45)`	affected	code_commit	—
`[23b7869c0fd08d73c9f83a2db88a13312d6198bb,d793458c45df2aed498d7f74145eab7ee22d25aa)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.1`	affected	generic	—
`[0,3.1)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel update that contains the CVE‑2026‑23372 fix
If an update cannot be applied immediately, disable or restrict raw NFC socket functionality on the system
Ensure only privileged processes can create raw NFC sockets and monitor for abrupt process termination
Check system logs for signs of kernel crashes or abnormal memory corruption related to NFC

Generated by OpenCVE AI on April 2, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049
https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526
https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24
https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c
https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16
https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa
https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45
https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06
https://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23372-7bc9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23372
https://www.cve.org/CVERecord?id=CVE-2026-23372

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23372-7bc9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23372 https://www.cve.org/CVERecord?id=CVE-2026-23372

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.
Title		nfc: rawsock: cancel tx_work before socket teardown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049 https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526 https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24 https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45 https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:53.308Z

Updated: 2026-04-18T08:58:18.823Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23372

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:36.780

Modified: 2026-04-18T09:16:22.090

Link: CVE-2026-23372

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23372 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:23:02Z

Weaknesses

CWE-364

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object