Missing release of memory after effective lifetime in Linux kernel - CVE-2026-23339
Published: March 25, 2026
Vulnerability identifier: #VU124510
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23339
CWE-ID: CWE-401
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfc: nci component when handling early error paths in nci_transceive(). A local user can trigger error conditions to cause memory leaks.
Memory leaks occur due to failure to free socket buffer (skb) on early error returns, leading to gradual resource exhaustion.
How to mitigate CVE-2026-23339
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/3245801d44a44c090acefe19a12d22d12cac45c5
- https://git.kernel.org/stable/c/33f6b8a96dda045789796c3bcb451c74ac158039
- https://git.kernel.org/stable/c/54f7f0eaafa56b5994cdb5c7967946922c2e1d22
- https://git.kernel.org/stable/c/7bd4b0c4779f978a6528c9b7937d2ca18e936e2c
- https://git.kernel.org/stable/c/9d448bbab724b94d6c561e1f314656f5b88a7cb3
- https://git.kernel.org/stable/c/dcbcccfc5195c9caaa4bb8d31f23c345f00a9e89