{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23372", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:53.308Z", "dateUpdated": "2026-05-11T22:05:36.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:05:36.107Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: rawsock: cancel tx_work before socket teardown\n\nIn rawsock_release(), cancel any pending tx_work and purge the write\nqueue before orphaning the socket. rawsock_tx_work runs on the system\nworkqueue and calls nfc_data_exchange which dereferences the NCI\ndevice. Without synchronization, tx_work can race with socket and\ndevice teardown when a process is killed (e.g. by SIGKILL), leading\nto use-after-free or leaked references.\n\nSet SEND_SHUTDOWN first so that if tx_work is already running it will\nsee the flag and skip transmitting, then use cancel_work_sync to wait\nfor any in-progress execution to finish, and finally purge any\nremaining queued skbs."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/rawsock.c"], "versions": [{"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "9b2d23cd09e1cb56bdf0e4d5614703094159f16c", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "cdeed45ce8c92defd057f7d67ee9a69374d8fa16", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "3ae592ed91bb4b6b51df256b51045c13d2656049", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "722a28b635ec281bb08a23885223526d8e7d6526", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "78141b8832e16d80d09cbefb4258612db0777a24", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "edc988613def90c5b558e025b1b423f48007be06", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "da4515fc8263c5933ed605e396af91079806dc45", "status": "affected", "versionType": "git"}, {"version": "23b7869c0fd08d73c9f83a2db88a13312d6198bb", "lessThan": "d793458c45df2aed498d7f74145eab7ee22d25aa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/nfc/rawsock.c"], "versions": [{"version": "3.1", "status": "affected"}, {"version": "0", "lessThan": "3.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c"}, {"url": "https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16"}, {"url": "https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049"}, {"url": "https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526"}, {"url": "https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24"}, {"url": "https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06"}, {"url": "https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45"}, {"url": "https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa"}], "title": "nfc: rawsock: cancel tx_work before socket teardown", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4333338A-C6E8-4E3E-B55E-4B83879A9E8E", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.1:-:*:*:*:*:*:*", "matchCriteriaId": "98093688-6D93-4911-8D48-AC4A4619BCED", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: rawsock: cancel tx_work before socket teardown\n\nIn rawsock_release(), cancel any pending tx_work and purge the write\nqueue before orphaning the socket. rawsock_tx_work runs on the system\nworkqueue and calls nfc_data_exchange which dereferences the NCI\ndevice. Without synchronization, tx_work can race with socket and\ndevice teardown when a process is killed (e.g. by SIGKILL), leading\nto use-after-free or leaked references.\n\nSet SEND_SHUTDOWN first so that if tx_work is already running it will\nsee the flag and skip transmitting, then use cancel_work_sync to wait\nfor any in-progress execution to finish, and finally purge any\nremaining queued skbs."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfc: rawsock: cancelar tx_work antes del desmontaje del socket\n\nEn rawsock_release(), cancelar cualquier tx_work pendiente y purgar la cola de escritura antes de dejar hu\u00e9rfano el socket. rawsock_tx_work se ejecuta en la cola de trabajo del sistema y llama a nfc_data_exchange, que desreferencia el dispositivo NCI. Sin sincronizaci\u00f3n, tx_work puede competir con el desmontaje del socket y del dispositivo cuando un proceso es terminado (p. ej., por SIGKILL), lo que lleva a uso despu\u00e9s de liberaci\u00f3n o referencias filtradas.\n\nEstablecer SEND_SHUTDOWN primero para que si tx_work ya se est\u00e1 ejecutando, vea la bandera y omita la transmisi\u00f3n, luego usar cancel_work_sync para esperar a que finalice cualquier ejecuci\u00f3n en curso, y finalmente purgar cualquier skbs en cola restante."}], "id": "CVE-2026-23372", "lastModified": "2026-04-24T16:36:05.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:36.780", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ae592ed91bb4b6b51df256b51045c13d2656049"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/722a28b635ec281bb08a23885223526d8e7d6526"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/78141b8832e16d80d09cbefb4258612db0777a24"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9b2d23cd09e1cb56bdf0e4d5614703094159f16c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cdeed45ce8c92defd057f7d67ee9a69374d8fa16"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d793458c45df2aed498d7f74145eab7ee22d25aa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da4515fc8263c5933ed605e396af91079806dc45"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/edc988613def90c5b558e025b1b423f48007be06"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nfc: rawsock: cancel tx_work before socket teardown", "id": "2451262", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451262"}, "csaw": false, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's Near Field Communication (NFC) rawsock component. A race condition can occur during the teardown of a socket and its associated device, particularly when a process is terminated (e.g., by SIGKILL). This timing issue can lead to a use-after-free vulnerability, where the system attempts to access memory that has already been released. Such an issue could result in system instability or a denial of service."], "name": "CVE-2026-23372", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23372\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23372\nhttps://lore.kernel.org/linux-cve-announce/2026032541-CVE-2026-23372-7bc9@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,3ae592ed91bb4b6b51df256b51045c13d2656049)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,722a28b635ec281bb08a23885223526d8e7d6526)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,78141b8832e16d80d09cbefb4258612db0777a24)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,edc988613def90c5b558e025b1b423f48007be06)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,da4515fc8263c5933ed605e396af91079806dc45)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23b7869c0fd08d73c9f83a2db88a13312d6198bb,d793458c45df2aed498d7f74145eab7ee22d25aa)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:00:05.983358+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that contains the CVE\u20112026\u201123372 fix", "If an update cannot be applied immediately, disable or restrict raw NFC socket functionality on the system", "Ensure only privileged processes can create raw NFC sockets and monitor for abrupt process termination", "Check system logs for signs of kernel crashes or abnormal memory corruption related to NFC"], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free"}, "threat_synthesis": {"affected_systems": "Specifically, the vulnerability exists in the Linux kernel versions 3.1, as well as 7.0 release candidates rc1 through rc7. The flaw is present in any kernel build that includes the NFC raw socket implementation. Therefore systems running any of those kernel versions, or kernels derived from them that still compile the NFC raw socket code, are potentially affected.", "description_and_impact": "A race condition exists in the Linux kernel\u2019s NFC raw socket implementation where pending transmission work can access the NCI device after the socket and device have been torn down. The kernel may dereference freed memory, leading to a use\u2011after\u2011free fault that can crash the system or allow an attacker to execute arbitrary code. The weakness is identified by CWE\u2011364.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, and the EPSS score of less than 1\u202f% suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to open a raw NFC socket locally and then terminate the owning process (e.g., by sending SIGKILL) to trigger the race. The lack of a known exploit and the local nature of the required actions reduce immediate risk, but the impact of a kernel fault warrants prompt remediation."}}}}, "created": "2026-03-25T21:31:43.728060+00:00", "updated": "2026-04-28T22:00:14.203920+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}