Bug 2484467 (CVE-2026-46267) - CVE-2026-46267 kernel: nfc: hci: shdlc: Stop timers and work before freeing context
Summary: CVE-2026-46267 kernel: nfc: hci: shdlc: Stop timers and work before freeing c...
Keywords:
Status: NEW
Alias: CVE-2026-46267
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-03 18:02 UTC by OSIDB Bzimport
Modified: 2026-06-03 19:18 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-03 18:02:52 UTC
In the Linux kernel, the following vulnerability has been resolved:

nfc: hci: shdlc: Stop timers and work before freeing context

llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.


Note You need to log in before you can comment on or make changes to this bug.