CVE-2026-46267: Linux NFC SHDLC Use-After-Free Privilege Escalation
A use-after-free vulnerability exists in the Linux kernel's NFC (Near Field Communication) SHDLC (Synchronous Half-Duplex Link Control) driver. The vulnerability occurs during driver shutdown when memory is freed while background timers and worker threads are still active. These timers and workers can attempt to access the freed memory after it has been released, potentially leading to system crashes or privilege escalation. A local attacker with basic user privileges can trigger this condition.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the NFC HCI SHDLC implementation within the Linux kernel. Specifically, the llc_shdlc_deinit() function purges socket buffer (skb) queues and deallocates the llc_shdlc structure without first stopping active timers and canceling the state machine work queue handler (sm_work). Since timer callbacks can schedule sm_work, and sm_work itself accesses SHDLC state and skb queues, a race condition exists: if teardown occurs concurrently with a pending or executing work item, the work handler will dereference memory that has already been freed. This is a classic use-after-free (UAF) scenario. The issue was discovered through automated static analysis using the SVACE tool by the Linux Verification Center.
Business impact
This vulnerability affects any Linux system running affected kernel versions where NFC functionality is compiled or available. While NFC is not universally deployed, it is present in certain enterprise environments, IoT deployments, and consumer devices. Exploitation could result in denial of service (kernel crash), information disclosure via memory corruption, or privilege escalation from unprivileged user context to kernel-level execution. The impact is localized to machines with NFC capabilities and requires local access, limiting the scope compared to remote exploits, but the severity remains elevated given the potential for privilege escalation.
Affected systems
The Linux kernel across all versions prior to the patch is affected. NFC support must be compiled into or loaded as a module for the vulnerability to be exploitable. Systems with NFC hardware (such as embedded devices, NFC readers, or NFC-capable phones running Linux) are directly at risk. Servers and desktops without NFC support are not vulnerable. Verify your kernel configuration to determine if CONFIG_NFC and related SHDLC modules are enabled.
Exploitability
Exploitation requires local system access with basic unprivileged user privileges. An attacker would need to trigger NFC device initialization and then concurrent teardown with active timers or work queue operations. While not trivial, this is feasible in scenarios where an attacker controls local user accounts or has access to the NFC subsystem. The vulnerability does not require special hardware beyond standard NFC support; it is a race condition that can be triggered through normal driver lifecycle operations. Public exploit code is not known at this time, but the root cause is straightforward enough that a motivated attacker could develop a proof-of-concept.
Remediation
Apply the kernel patch that modifies llc_shdlc_deinit() to synchronously stop all timers and cancel sm_work before purging queues and freeing the llc_shdlc structure. The fix ensures proper cleanup ordering to eliminate the race window. End users should upgrade to a patched kernel version released by their Linux distribution or kernel maintainers. Verify against official Linux kernel security advisories and your vendor's kernel update schedule for specific version numbers and availability.
Patch guidance
Linux kernel maintainers have released a fix as part of standard kernel updates. Contact your distribution maintainer (Red Hat, Canonical, SUSE, etc.) for the specific patched kernel version applicable to your release. The patch involves reordering the deinit sequence to call timer_stop and cancel_work_sync before queue purge and structure deallocation. Verify the patch in the Linux kernel git repository under the NFC subsystem commits. Test patches in a non-production environment before deployment to ensure stability and compatibility with your NFC-dependent services.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for NFC SHDLC driver errors, NULL pointer dereferences, or use-after-free warnings. Kernel Address Sanitizer (KASAN) enabled kernels will reliably catch UAF attempts at runtime with detailed stack traces. Runtime behavioral indicators include unexpected NFC device initialization/teardown crashes or memory corruption warnings. Intrusion detection systems should flag suspicious patterns of repeated NFC subsystem activation and deactivation on systems where such activity is anomalous. However, normal detection of active exploitation in production is challenging; the primary detection strategy is proactive patching.
Why prioritize this
Despite requiring local access, this vulnerability warrants prioritization because it enables privilege escalation from user context to kernel execution, has a relatively high CVSS score of 7.8, and affects a foundational kernel subsystem. Systems with NFC enabled should prioritize patching immediately. Systems without NFC can safely defer this patch or deprioritize relative to remote code execution vulnerabilities, but organizations should audit their kernel configurations to determine NFC status. The fact that this is a kernel-level vulnerability means successful exploitation could compromise the entire system.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: (1) Local attack vector requiring user-level access but not administrative privileges; (2) Low attack complexity—the race condition can be triggered reliably; (3) High impact across confidentiality, integrity, and availability due to kernel-level execution potential; (4) No user interaction required. The score appropriately captures the severity while acknowledging the local-access requirement, making this a high-priority but not critical vulnerability.
Frequently asked questions
Is NFC enabled by default on my Linux system?
No. NFC support is typically not compiled into default kernel configurations for servers and desktops. Check your kernel config (cat /boot/config-$(uname -r) | grep CONFIG_NFC) or lsmod | grep nfc. Only systems with explicit NFC hardware support or specialized configurations are at risk. Most enterprise servers do not have this enabled.
Can this be exploited remotely?
No. This vulnerability requires local system access at the unprivileged user level minimum. Remote exploitation is not possible. However, once an attacker gains local access (via SSH, container escape, etc.), they could leverage this to escalate privileges further.
What happens if I disable NFC in my kernel?
Disabling NFC entirely via CONFIG_NFC=n or unloading the NFC module eliminates this vulnerability for that system. If NFC is not a functional requirement for your deployment, disabling it is a valid mitigation alongside or instead of patching.
How long has this vulnerability existed?
The vulnerability was discovered through automated static analysis by the Linux Verification Center and was resolved as part of standard kernel maintenance. The exact introduction date is unclear from available information, but NFC SHDLC handling has been in the kernel for several years. Verify against the official Linux kernel git history for precise timelines.
This analysis is based on publicly available CVE data and Linux kernel security advisories as of the publication date. Specific patch version numbers and availability dates should be verified against official Linux distribution security advisories and the Linux kernel security mailing list. SEC.co does not provide exploit code or detailed proof-of-concept information. Organizations are responsible for assessing their own NFC configurations and kernel versions to determine actual exposure. Testing should be performed in controlled environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance