Skip to main content

Linux EUVDEUVD-2026-15305

| CVE-2026-23339 MEDIUM
Memory Leak (CWE-401)
2026-03-25 Linux GHSA-77ph-fpqv-c298
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15305
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: free skb on nci_transceive early error paths

nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it.

Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks:

unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffies 4295441246 hex dump (first 32 bytes): 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace (crc 7c40cc2a): kmem_cache_alloc_node_noprof+0x492/0x630 __alloc_skb+0x11e/0x5f0 alloc_skb_with_frags+0xc6/0x8f0 sock_alloc_send_pskb+0x326/0x3f0 nfc_alloc_send_skb+0x94/0x1d0 rawsock_sendmsg+0x162/0x4c0 do_syscall_64+0x117/0xfc0

AnalysisAI

A memory leak vulnerability exists in the Linux kernel's NFC NCI subsystem where the nci_transceive() function fails to free socket buffer (skb) objects on three early error paths (-EPROTO, -EINVAL, -EBUSY), causing kernel memory exhaustion over time. The vulnerability affects all Linux kernel versions with the vulnerable code in the NFC NCI driver, impacting any system with NFC capabilities that processes malformed or resource-constrained NCI transactions. While not directly exploitable for code execution, attackers can trigger memory exhaustion leading to denial of service by sending specially crafted NFC messages that trigger the error paths, and the vulnerability has been confirmed in kernel self-tests via kmemleak detection.

Technical ContextAI

The vulnerability resides in the Linux kernel's Near Field Communication (NFC) subsystem, specifically in the NCI (NFC Controller Interface) implementation located at the nci_transceive() function. The NCI protocol is a standardized interface between NFC controllers and the host. The root cause is a resource management failure classified as a memory leak (related to CWE-401: Missing Release of Memory after Effective Lifetime and CWE-772: Missing Release of Resource after Successful Operation). The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, indicating all Linux kernel versions containing the unfixed code. The nci_transceive() function takes ownership of a socket buffer (skb) object passed by callers in the NFC raw socket path (rawsock_sendmsg), but three specific error conditions (-EPROTO for protocol violations, -EINVAL for invalid parameters, -EBUSY for resource contention) return early without invoking kfree_skb() or dev_kfree_skb_any(), violating the established ownership contract.

RemediationAI

Apply kernel patches from the stable Linux kernel repository by upgrading to a kernel version containing one of the following commits: 33f6b8a96dda, dcbcccfc5195, 3245801d44a4, 9d448bbab724, 54f7f0eaafa5, or 7bd4b0c4779f (available via https://git.kernel.org/stable/). For distribution users, check vendor security advisories and apply provided kernel updates once released (Ubuntu, Fedora, RHEL, Debian, etc. will provide patched kernels). Until patching is possible, mitigation options are limited but include disabling NFC functionality at boot time (via kernel command-line parameters or device tree modifications) if NFC is not required, and implementing network-level isolation to restrict NFC communication if the device bridges to untrusted networks. For mobile and IoT deployments, prioritize patching as DoS attacks against the NFC stack can degrade device responsiveness or trigger reboots.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy