CVE-2026-23150 Overview
CVE-2026-23150 is a memory leak vulnerability in the Linux kernel's NFC (Near Field Communication) LLCP (Logical Link Control Protocol) implementation. The vulnerability exists in the nfc_llcp_send_ui_frame() function, where a race condition between frame transmission and local cleanup operations can result in socket buffers (skb) being queued after the transmission queue has been purged, leading to memory leaks of nfc_llcp_sock, sk_buff, and nfc_dev structures.
Critical Impact
This vulnerability can cause kernel memory leaks affecting system stability, potentially leading to denial of service conditions on systems with NFC functionality enabled.
Affected Products
- Linux Kernel (NFC LLCP subsystem)
- Systems with NFC hardware and enabled NFC drivers
- Kernel versions prior to the security patches
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23150 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23150
Vulnerability Analysis
The vulnerability was identified through syzbot fuzzing, which reported various memory leaks related to NFC structures including struct nfc_llcp_sock, sk_buff, and nfc_dev. The root cause is a classic race condition between two concurrent operations: the nfc_llcp_send_ui_frame() function attempting to queue socket buffers for transmission, and the local_cleanup() function destroying the nfc_llcp_local structure.
When nfc_llcp_send_ui_frame() fails to allocate an skb due to sock_error(sk) returning -ENXIO (set by nfc_llcp_socket_release() during local destruction), there is no synchronization to prevent already-allocated PDUs from being queued to local->tx_queue after it has been purged by local_cleanup(). This results in orphaned memory allocations that are never freed.
Root Cause
The fundamental issue is the lack of synchronization between the transmission path and the cleanup path. The local_cleanup() function is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices. However, without proper locking, there is a window where nfc_llcp_send_ui_frame() can still queue buffers to the transmission queue between the socket release and queue purge operations.
The race condition can be visualized as follows:
- CPU1 executes nfc_llcp_send_ui_frame() and allocates a PDU
- CPU2 concurrently executes local_cleanup(), calling nfc_llcp_socket_release() and then skb_queue_purge()
- CPU1 then queues the already-allocated PDU to local->tx_queue after it was purged
- Subsequent allocations fail with -ENXIO, but the queued buffer is now orphaned
Attack Vector
This vulnerability is triggered through race conditions in the NFC LLCP protocol handling. An attacker with local access to a system with NFC capabilities could potentially trigger this condition by rapidly creating and destroying NFC LLCP sockets while simultaneously initiating UI frame transmissions. The resulting memory leaks could eventually exhaust system memory, leading to a denial of service condition.
The kernel log traces show the allocation backtrace starting from socket creation through __sys_socket(), followed by nfc_llcp_sock_alloc() and ultimately __alloc_skb() for the socket buffers that become leaked.
Detection Methods for CVE-2026-23150
Indicators of Compromise
- Kernel log messages containing llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
- kmemleak reports indicating suspected memory leaks in NFC-related structures
- Increasing memory consumption in kernel slab caches related to sk_buff and socket allocations
- System instability or OOM (Out of Memory) conditions on NFC-enabled systems
Detection Strategies
- Enable CONFIG_DEBUG_KMEMLEAK in kernel configuration to detect memory leaks via /sys/kernel/debug/kmemleak
- Monitor kernel ring buffer (dmesg) for NFC LLCP error messages with error code -6 (ENXIO)
- Use memory profiling tools to track kernel slab allocations for skbuff_head_cache and socket-related caches
- Deploy SentinelOne agents to monitor for anomalous kernel behavior and memory consumption patterns
Monitoring Recommendations
- Implement continuous monitoring of kernel memory usage on systems with NFC hardware
- Configure alerts for kmemleak reports containing nfc_llcp_sock_alloc or nfc_llcp_send_ui_frame in backtraces
- Monitor system memory pressure indicators and investigate unexpected increases on NFC-enabled devices
- Review system logs for patterns of NFC subsystem errors that may indicate exploitation attempts
How to Mitigate CVE-2026-23150
Immediate Actions Required
- Apply the kernel security patches from the official Linux kernel stable branches
- If NFC functionality is not required, disable NFC drivers by blacklisting the relevant kernel modules
- Monitor affected systems for signs of memory exhaustion until patches can be applied
- Consider temporarily disabling NFC at the hardware level on critical systems
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix implements proper synchronization by holding local->tx_queue.lock during the cleanup operation and checking list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
Multiple patch commits are available for different kernel branches:
- Kernel Commit 165c34f
- Kernel Commit 3098e5c
- Kernel Commit 61858bc
- Kernel Commit 65e976e
- Kernel Commit 6734ff1
- Kernel Commit ab660cb
- Kernel Commit f8d0026
Workarounds
- Blacklist NFC kernel modules by adding blacklist nfc and blacklist nfc_llcp to /etc/modprobe.d/blacklist.conf
- Disable NFC hardware through BIOS/UEFI settings where available
- Use kernel boot parameters to prevent NFC module loading: modprobe.blacklist=nfc,nfc_llcp
- Implement memory resource limits using cgroups to contain potential memory exhaustion impact
# Configuration example
# Disable NFC modules to mitigate the vulnerability
echo "blacklist nfc" >> /etc/modprobe.d/blacklist-nfc.conf
echo "blacklist nfc_llcp" >> /etc/modprobe.d/blacklist-nfc.conf
echo "blacklist pn533" >> /etc/modprobe.d/blacklist-nfc.conf
# Unload NFC modules if currently loaded
modprobe -r nfc_llcp
modprobe -r nfc
# Update initramfs to persist changes
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
