7.8

CVE-2026-46267

nfc: hci: shdlc: Stop timers and work before freeing context

In the Linux kernel, the following vulnerability has been resolved:

nfc: hci: shdlc: Stop timers and work before freeing context

llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.7 < 5.15.202
LinuxLinux Kernel Version >= 5.16 < 6.1.165
LinuxLinux Kernel Version >= 6.2 < 6.6.128
LinuxLinux Kernel Version >= 6.7 < 6.12.75
LinuxLinux Kernel Version >= 6.13 < 6.18.14
LinuxLinux Kernel Version >= 6.19 < 6.19.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.022
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
Patch
https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a
Patch
https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98
Patch
https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab
Patch
https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4
Patch
https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced
Patch
https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f
Patch