Linux Kernel NFC rawsock UAF via race during tx_work teardown
CVE-2026-23372 Published on March 25, 2026
nfc: rawsock: cancel tx_work before socket teardown
In the Linux kernel, the following vulnerability has been resolved:
nfc: rawsock: cancel tx_work before socket teardown
In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.
Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.
Products Associated with CVE-2026-23372
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below 3ae592ed91bb4b6b51df256b51045c13d2656049 is affected.
- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below 722a28b635ec281bb08a23885223526d8e7d6526 is affected.
- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below 78141b8832e16d80d09cbefb4258612db0777a24 is affected.
- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below edc988613def90c5b558e025b1b423f48007be06 is affected.
- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below da4515fc8263c5933ed605e396af91079806dc45 is affected.
- Version 23b7869c0fd08d73c9f83a2db88a13312d6198bb and below d793458c45df2aed498d7f74145eab7ee22d25aa is affected.
- Version 3.1 is affected.
- Before 3.1 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.77, <= 6.12.* is unaffected.
- Version 6.18.17, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc3, <= * is unaffected.