{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23372","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:46.003Z","datePublished":"2026-03-25T10:27:53.308Z","dateUpdated":"2026-05-11T22:05:36.107Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:05:36.107Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: rawsock: cancel tx_work before socket teardown\n\nIn rawsock_release(), cancel any pending tx_work and purge the write\nqueue before orphaning the socket.  rawsock_tx_work runs on the system\nworkqueue and calls nfc_data_exchange which dereferences the NCI\ndevice.  Without synchronization, tx_work can race with socket and\ndevice teardown when a process is killed (e.g. by SIGKILL), leading\nto use-after-free or leaked references.\n\nSet SEND_SHUTDOWN first so that if tx_work is already running it will\nsee the flag and skip transmitting, then use cancel_work_sync to wait\nfor any in-progress execution to finish, and finally purge any\nremaining queued skbs."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/nfc/rawsock.c"],"versions":[{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"9b2d23cd09e1cb56bdf0e4d5614703094159f16c","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"cdeed45ce8c92defd057f7d67ee9a69374d8fa16","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"3ae592ed91bb4b6b51df256b51045c13d2656049","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"722a28b635ec281bb08a23885223526d8e7d6526","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"78141b8832e16d80d09cbefb4258612db0777a24","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"edc988613def90c5b558e025b1b423f48007be06","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"da4515fc8263c5933ed605e396af91079806dc45","status":"affected","versionType":"git"},{"version":"23b7869c0fd08d73c9f83a2db88a13312d6198bb","lessThan":"d793458c45df2aed498d7f74145eab7ee22d25aa","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/nfc/rawsock.c"],"versions":[{"version":"3.1","status":"affected"},{"version":"0","lessThan":"3.1","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.12.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"6.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c"},{"url":"https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16"},{"url":"https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049"},{"url":"https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526"},{"url":"https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24"},{"url":"https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06"},{"url":"https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45"},{"url":"https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa"}],"title":"nfc: rawsock: cancel tx_work before socket teardown","x_generator":{"engine":"bippy-1.2.0"}}}}