Home

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-03 | Updated 2026-06-03 | Assigner Linux

Product status

Default status
unaffected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before a24a676329d40481b2331bfa1418a679577dfd3a
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before 77eef9f2eef045c3c37a3df82d3e661afb866b98
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before cf70cedce327833296ebe6043364d1e44b76a2ab
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before 276820278e9717cc7d4bb32381892dd3ddf418d4
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before 1cb97b1225450af3f7b728777929ba50c6a58ced
affected

4a61cd6687fc6348d08724676d34e38160d6cf9b (git) before c9efde1e537baed7648a94022b43836a348a074f
affected

Default status
affected

3.7
affected

Any version before 3.7
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.14 (semver)
unaffected

6.19.4 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e

git.kernel.org/...c/a24a676329d40481b2331bfa1418a679577dfd3a

git.kernel.org/...c/77eef9f2eef045c3c37a3df82d3e661afb866b98

git.kernel.org/...c/cf70cedce327833296ebe6043364d1e44b76a2ab

git.kernel.org/...c/276820278e9717cc7d4bb32381892dd3ddf418d4

git.kernel.org/...c/1cb97b1225450af3f7b728777929ba50c6a58ced

git.kernel.org/...c/c9efde1e537baed7648a94022b43836a348a074f

cve.org (CVE-2026-46267)

nvd.nist.gov (CVE-2026-46267)

Download JSON