CVE-2026-23372

In rawsockrelease(), cancel any pending txwork and purge the write queue before orphaning the socket. rawsocktxwork runs on the system workqueue and calls nfcdataexchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references.

Set SENDSHUTDOWN first so that if txwork is already running it will see the flag and skip transmitting, then use cancelworksync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23372.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

23b7869c0fd08d73c9f83a2db88a13312d6198bb

Fixed

3ae592ed91bb4b6b51df256b51045c13d2656049

Fixed

722a28b635ec281bb08a23885223526d8e7d6526

Fixed

78141b8832e16d80d09cbefb4258612db0777a24

Fixed

edc988613def90c5b558e025b1b423f48007be06

Fixed

da4515fc8263c5933ed605e396af91079806dc45

Fixed

d793458c45df2aed498d7f74145eab7ee22d25aa

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23372.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

6.1.167

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.77

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.17

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23372.json"