Skip to main content

Linux CVE-2026-23372

| EUVDEUVD-2026-15359 HIGH
2026-03-25 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15359
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfc: rawsock: cancel tx_work before socket teardown

In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.

AnalysisAI

Local privilege escalation and denial of service in Linux kernel NFC rawsock implementation (versions 3.1 through 6.19.6, patched in 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, 7.0-rc3) allows authenticated local users to trigger use-after-free conditions via race between socket teardown and asynchronous NFC data transmission. CVSS 7.8 HIGH with local attack vector requiring low privileges. EPSS score 0.02% (6th percentile) indicates minimal real-world exploitation probability. Vendor patches available across all stable kernel branches since early 2026.

Technical ContextAI

The vulnerability exists in the Linux kernel's NFC (Near Field Communication) rawsock implementation, specifically in the socket release path. The rawsock_release() function failed to properly synchronize with the asynchronous tx_work workqueue task before tearing down socket and device structures. The tx_work handler (rawsock_tx_work) executes on the system workqueue and calls nfc_data_exchange(), which dereferences NCI (NFC Controller Interface) device structures. When a process using an NFC raw socket is terminated abruptly (e.g., via SIGKILL), a race condition occurs: the socket and underlying NFC device may be freed while tx_work is still queued or executing, leading to use-after-free memory corruption. The affected code path has existed since Linux kernel 3.1 when the NFC rawsock functionality (commit 23b7869c0fd0) was introduced. The vulnerability represents a classic asynchronous resource management failure where concurrent execution paths access shared resources without proper lifetime management and synchronization primitives.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167 or later for 6.1 LTS branch, 6.6.130+ for 6.6 stable, 6.12.77+ for 6.12 stable, 6.18.17+ for 6.18 stable, 6.19.7+ for 6.19 stable, or 7.0-rc3+ for mainline development. Distribution-specific updates should be applied through normal package management (apt/yum/dnf) as vendors backport fixes to supported kernel versions. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Blacklist NFC kernel modules (nfc.ko, nci.ko) via /etc/modprobe.d/ configuration to prevent module loading - eliminates NFC functionality entirely but removes attack surface on systems not requiring NFC; (2) Restrict access to /dev/nfc* device nodes and NFC socket creation using AppArmor/SELinux policies or group-based permissions - reduces attack surface to explicitly authorized users but requires policy customization and may break legitimate NFC applications; (3) Disable NFC subsystem at boot via kernel command line parameter (nfc.disable=1 if available) - OS-level mitigation but requires bootloader reconfiguration and reboot. Workarounds reduce but do not eliminate risk as race conditions may still trigger under specific timing conditions. Patching remains the definitive remediation. Verify patch application by checking kernel version with 'uname -r' and confirming commit presence with 'git log' on kernel source or reviewing distribution security advisories.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy