7.8
CVE-2026-46267
- EPSS 0.12%
- Veröffentlicht 03.06.2026 15:50:09
- Zuletzt bearbeitet 09.06.2026 19:48:21
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
nfc: hci: shdlc: Stop timers and work before freeing context
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 3.7 < 5.15.202
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.14
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.022 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a
https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98
https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab
https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4
https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced
https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f