HIGH
nfc SHDLC UAF
CVE-2026-46267
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.
02KernelScan AI Analysis
Risk summary
A race condition in NFC HCI SHDLC teardown can be triggered by a local, low-privileged attacker to cause a kernel use-after-free. Exploitation of the heap UAF can lead to kernel memory corruption, information leakage, and denial of service (kernel panic). Systems with the NFC subsystem enabled are at risk.
Vulnerability analysis
llc_shdlc_deinit() purges skb queues and frees the llc_shdlc structure without first stopping the SHDLC timers or synchronously canceling sm_work. Active timer callbacks (t1_timer, t2_timer, connect_timer) can schedule sm_work, which then accesses the freed SHDLC state and queue heads. This creates a use-after-free and potential shutdown race. The fix adds timer_shutdown_sync() for all three timers, clears the active flags, and calls cancel_work_sync(&shdlc->sm_work) before purging queues and freeing memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.202 | c60f41022eaa |
| 6.1 | 6.1.165 | a24a676329d4 |
| 6.12 | 6.12.75 | cf70cedce327 |
| 6.18 | 6.18.14 | 276820278e97 |
| 6.19 | 6.19.4 | 1cb97b122545 |
| 6.6 | 6.6.128 | 77eef9f2eef0 |
| mainline | 7.0 | c9efde1e537b |