CVE-2025-71079 Overview
A deadlock vulnerability has been identified in the Linux kernel's NFC (Near Field Communication) subsystem. The vulnerability exists due to a lock ordering inversion between device_lock and rfkill_global_mutex in the interaction between nfc_unregister_device() and rfkill_fop_write() functions. This creates a classic ABBA deadlock scenario that can cause system hangs and denial of service conditions.
Critical Impact
This vulnerability can lead to system deadlock conditions when concurrent NFC device operations occur, potentially causing denial of service on affected Linux systems with NFC hardware enabled.
Affected Products
- Linux Kernel (NFC subsystem)
- Linux systems with NFC hardware and rfkill support enabled
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71079 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71079
Vulnerability Analysis
This vulnerability represents a Deadlock condition in the Linux kernel's NFC subsystem. The deadlock occurs due to improper lock ordering between two critical synchronization primitives: device_lock and rfkill_global_mutex.
When two threads attempt to acquire these locks in opposite orders simultaneously, neither thread can proceed, resulting in a system deadlock. This can cause the affected system to become unresponsive, requiring a hard reboot to recover.
The vulnerability specifically affects the NFC device unregistration path when it races with rfkill write operations. The deadlock manifests when Thread A (executing rfkill_fop_write()) holds rfkill_global_mutex and waits for device_lock, while Thread B (executing nfc_unregister_device()) holds device_lock and waits for rfkill_global_mutex.
Root Cause
The root cause is a lock ordering inversion between two kernel synchronization mechanisms:
Thread A execution path (rfkill_fop_write):
- Acquires rfkill_global_mutex
- Calls rfkill_set_block()
- Calls nfc_rfkill_set_block()
- Calls nfc_dev_down()
- Attempts to acquire device_lock (blocked)
Thread B execution path (nfc_unregister_device):
- Acquires device_lock
- Calls rfkill_unregister()
- Attempts to acquire rfkill_global_mutex (blocked)
This creates the classic ABBA deadlock pattern where each thread holds a lock that the other thread needs, and neither can proceed.
Attack Vector
The attack vector for this vulnerability involves triggering concurrent NFC device operations. An attacker with local access to a system with NFC hardware could potentially trigger this deadlock by:
- Initiating rfkill operations on NFC devices (via /dev/rfkill or rfkill sysfs interfaces)
- Simultaneously triggering NFC device unregistration events
- The race condition between these operations can lead to the deadlock state
While this requires local access and specific timing, it could be exploited for denial of service attacks on systems where NFC functionality is critical.
Detection Methods for CVE-2025-71079
Indicators of Compromise
- System hangs or freezes when performing NFC-related operations
- Kernel lockup warnings in system logs related to NFC or rfkill subsystems
- Unresponsive rfkill commands or NFC device management tools
- Kernel soft lockup messages mentioning nfc_unregister_device or rfkill_fop_write
Detection Strategies
- Monitor kernel logs for deadlock warnings involving NFC and rfkill subsystems
- Implement watchdog monitoring to detect system hangs during NFC operations
- Use lockdep (Linux kernel lock dependency validator) to detect lock ordering issues
- Monitor for extended D-state (uninterruptible sleep) processes related to NFC operations
Monitoring Recommendations
- Enable kernel lock debugging (CONFIG_PROVE_LOCKING) to detect lock ordering violations
- Configure system watchdogs to alert on kernel soft lockups
- Monitor /var/log/kern.log and dmesg output for NFC-related warnings
- Implement automated system health checks that include NFC subsystem status
How to Mitigate CVE-2025-71079
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- If immediate patching is not possible, consider disabling NFC functionality on affected systems
- Monitor systems for signs of deadlock conditions and implement automated recovery mechanisms
- Review system configurations to identify critical systems using NFC hardware
Patch Information
The fix has been committed to the Linux kernel stable trees. The patch moves rfkill_unregister() and rfkill_destroy() outside the device_lock critical section by storing the rfkill pointer in a local variable before releasing the lock. This maintains thread safety while eliminating the deadlock condition.
Patches are available through the following kernel commits:
- Kernel Commit 1ab526d
- Kernel Commit 6b93c8a
- Kernel Commit 8fc4632
- Kernel Commit ee41f4f
- Kernel Commit f3a8a7c
Workarounds
- Disable NFC functionality by blacklisting NFC kernel modules (e.g., blacklist nfc in /etc/modprobe.d/)
- Use rfkill to persistently disable NFC hardware: rfkill block nfc
- Limit access to rfkill interfaces to reduce attack surface
- Implement system monitoring with automatic reboot capabilities for deadlock recovery
# Configuration example
# Disable NFC kernel modules as a workaround
echo "blacklist nfc" >> /etc/modprobe.d/disable-nfc.conf
echo "blacklist nfc_hci" >> /etc/modprobe.d/disable-nfc.conf
# Alternatively, use rfkill to block NFC devices
rfkill block nfc
# Verify NFC is disabled
rfkill list nfc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
