HIGH
nfc RawSock Race
CVE-2026-23372
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.
02KernelScan AI Analysis
Risk summary
A race condition in NFC raw socket teardown can cause use-after-free when a process is killed, potentially leading to information disclosure, kernel memory corruption, or system crashes. Systems with NFC hardware and local user access are at risk; multi-tenant environments face cross-tenant denial of service from unprivileged users.
Vulnerability analysis
The vulnerability occurs when rawsock_release() races with rawsock_tx_work running on the system workqueue. Without proper synchronization, the worker can access freed NCI device memory after socket teardown begins. The fix adds SEND_SHUTDOWN flag setting, cancel_work_sync() to wait for worker completion, and write queue purging before socket orphaning. The use-after-free primitive can leak kernel heap contents (confidentiality impact) and corrupt memory (integrity impact), and typically results in a kernel panic (availability impact). Attack requires local access to create NFC sockets and trigger the race condition through process termination.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 9b2d23cd09e1 |
| 5.15 | 5.15.203 | cdeed45ce8c9 |
| 6.1 | 6.1.167 | 3ae592ed91bb |
| 6.12 | 6.12.77 | 78141b8832e1 |
| 6.18 | 6.18.17 | edc988613def |
| 6.19 | 6.19.7 | da4515fc8263 |
| 6.6 | 6.6.130 | 722a28b635ec |
| mainline | 7.0 | d793458c45df |