SB20260325119 - Missing release of memory after effective lifetime in Linux kernel nfc nci
Published: March 25, 2026
Security Bulletin ID
SB20260325119
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23339)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfc: nci component when handling early error paths in nci_transceive(). A local user can trigger error conditions to cause memory leaks.
Memory leaks occur due to failure to free socket buffer (skb) on early error returns, leading to gradual resource exhaustion.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/3245801d44a44c090acefe19a12d22d12cac45c5
- https://git.kernel.org/stable/c/33f6b8a96dda045789796c3bcb451c74ac158039
- https://git.kernel.org/stable/c/54f7f0eaafa56b5994cdb5c7967946922c2e1d22
- https://git.kernel.org/stable/c/7bd4b0c4779f978a6528c9b7937d2ca18e936e2c
- https://git.kernel.org/stable/c/9d448bbab724b94d6c561e1f314656f5b88a7cb3
- https://git.kernel.org/stable/c/dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89