Description
In the Linux kernel, the following vulnerability has been resolved:

nfc: rawsock: cancel tx_work before socket teardown

In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free
Action: Immediate Patch
AI Analysis

Impact

A race condition exists in the Linux kernel’s NFC raw socket implementation where pending transmission work can access the NCI device after the socket and device have been torn down. The kernel may dereference freed memory, leading to a use‑after‑free fault that can crash the system or allow an attacker to execute arbitrary code. The weakness is identified by CWE‑364.

Affected Systems

Specifically, the vulnerability exists in the Linux kernel versions 3.1, as well as 7.0 release candidates rc1 through rc7. The flaw is present in any kernel build that includes the NFC raw socket implementation. Therefore systems running any of those kernel versions, or kernels derived from them that still compile the NFC raw socket code, are potentially affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score of less than 1 % suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to open a raw NFC socket locally and then terminate the owning process (e.g., by sending SIGKILL) to trigger the race. The lack of a known exploit and the local nature of the required actions reduce immediate risk, but the impact of a kernel fault warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the CVE‑2026‑23372 fix
  • If an update cannot be applied immediately, disable or restrict raw NFC socket functionality on the system
  • Ensure only privileged processes can create raw NFC sockets and monitor for abrupt process termination
  • Check system logs for signs of kernel crashes or abnormal memory corruption related to NFC

Generated by OpenCVE AI on April 28, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:3.1:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.
Title nfc: rawsock: cancel tx_work before socket teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:18.823Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23372

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:36.780

Modified: 2026-04-24T16:36:05.093

Link: CVE-2026-23372

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23372 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:00:14Z

Weaknesses