CVE-2026-46267 - Vulnerability Details

- nfc: hci: shdlc: Stop timers and work before freeing context

Description

In the Linux kernel, the following vulnerability has been resolved:

nfc: hci: shdlc: Stop timers and work before freeing context

llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: 2026-06-03

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a race condition in the NFC HCI SHDLC part of the Linux kernel. During deinitialization, the llc_shdlc structure is freed while its timers and state‑machine work are still active. Timer callbacks may schedule sm_work, which accesses the SHDLC state and packet queues. If teardown occurs concurrently with queued or running work, the freed object can be accessed again, leading to a use‑after‑free and potentially corrupting kernel memory or triggering a crash.

Affected Systems

Any Linux kernel that loads the llc_shdlc (NFC HCI SHDLC) driver is affected. The issue exists in configurations that include this driver, regardless of the exact kernel version, as long as the unpatched code is present.

Risk and Exploitability

EPSS score is <1% and the vulnerability is not listed in CISA KEV. The CVSS score is 7.8. Kernel‑space use‑after‑free errors are high severity, and exploitation requires certain conditions. The likely attack vector requires local privileged access or a scenario where an attacker can trigger module teardown while work items are pending. If exploited, it can lead to denial of service or arbitrary code execution in kernel mode.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< a24a676329d40481b2331bfa1418a679577dfd3a
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< 77eef9f2eef045c3c37a3df82d3e661afb866b98
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< cf70cedce327833296ebe6043364d1e44b76a2ab
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< 276820278e9717cc7d4bb32381892dd3ddf418d4
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< 1cb97b1225450af3f7b728777929ba50c6a58ced
`4a61cd6687fc6348d08724676d34e38160d6cf9b`	affected	< c9efde1e537baed7648a94022b43836a348a074f

Linux

affected

Version	Status	Constraints
`3.7`	affected	—
`0`	unaffected	< 3.7
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,a24a676329d40481b2331bfa1418a679577dfd3a)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,77eef9f2eef045c3c37a3df82d3e661afb866b98)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,cf70cedce327833296ebe6043364d1e44b76a2ab)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,276820278e9717cc7d4bb32381892dd3ddf418d4)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,1cb97b1225450af3f7b728777929ba50c6a58ced)`	affected	code_commit	—
`[4a61cd6687fc6348d08724676d34e38160d6cf9b,c9efde1e537baed7648a94022b43836a348a074f)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.7`	affected	generic	—
`[0,3.7)`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit that stops timers and cancels work before freeing the SHDLC context
If an upgrade cannot be performed immediately, unload or disable the llc_shdlc module to prevent the race condition
Continuously monitor dmesg and system logs for SHDLC‑related errors to detect any remaining activity

Generated by OpenCVE AI on June 9, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced
https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4
https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98
https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a
https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f
https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab
https://lore.kernel.org/linux-cve-announce/2026060338-CVE-2026-46267-5845@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46267
https://www.cve.org/CVERecord?id=CVE-2026-46267

History

Tue, 09 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 04 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-636

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026060338-CVE-2026-46267-5845@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46267 https://www.cve.org/CVERecord?id=CVE-2026-46267

Wed, 03 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-636

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		nfc: hci: shdlc: Stop timers and work before freeing context
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4 https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98 https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:50:09.035Z

Updated: 2026-06-03T15:50:09.035Z

Reserved: 2026-05-13T15:03:33.108Z

Link: CVE-2026-46267

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-06-03T18:16:28.320

Modified: 2026-06-09T19:48:21.260

Link: CVE-2026-46267

Redhat

Severity :

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46267 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses

CWE-364
Signal Handler Race Condition
CWE-416
Use After Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object