2451262 – (CVE-2026-23372) CVE-2026-23372 kernel: nfc: rawsock: cancel tx_work before socket teardown

Bug 2451262 (CVE-2026-23372) - CVE-2026-23372 kernel: nfc: rawsock: cancel tx_work before socket teardown

Summary: CVE-2026-23372 kernel: nfc: rawsock: cancel tx_work before socket teardown

Keywords:
Status:	NEW
Alias:	CVE-2026-23372
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-25 11:07 UTC by OSIDB Bzimport
Modified:	2026-03-25 12:28 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:07:43 UTC

In the Linux kernel, the following vulnerability has been resolved:

nfc: rawsock: cancel tx_work before socket teardown

In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket.  rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device.  Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.

Comment 1 Alexander B 2026-03-25 12:24:46 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23372-7bc9@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.