nfc: hci: shdlc: Stop timers and work before freeing context
Summary
| CVE | CVE-2026-46267 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-06-03 18:16:28 UTC |
|---|
| Updated | 2026-06-03 18:16:28 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
nfc: hci: shdlc: Stop timers and work before freeing context
llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.
Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.
Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.
Found by Linux Verification Center (linuxtesting.org) with SVACE. |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b a24a676329d40481b2331bfa1418a679577dfd3a git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b 77eef9f2eef045c3c37a3df82d3e661afb866b98 git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b cf70cedce327833296ebe6043364d1e44b76a2ab git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b 276820278e9717cc7d4bb32381892dd3ddf418d4 git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b 1cb97b1225450af3f7b728777929ba50c6a58ced git |
Not specified |
| CNA |
Linux |
Linux |
affected 4a61cd6687fc6348d08724676d34e38160d6cf9b c9efde1e537baed7648a94022b43836a348a074f git |
Not specified |
| CNA |
Linux |
Linux |
affected 3.7 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 3.7 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 5.15.202 5.15.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.1.165 6.1.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.128 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.75 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.14 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.19.4 6.19.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
