CVE-2026-23167 Overview
A race condition vulnerability has been identified in the Linux kernel's NFC (Near Field Communication) NCI (NFC Controller Interface) subsystem. The vulnerability exists between rfkill operations and the nci_unregister_device() function, where improper ordering of cleanup operations can lead to a use-after-destroy condition affecting the nci_dev.cmd_wq workqueue.
The issue was discovered through syzkaller fuzzing, which detected that the struct nci_dev.cmd_wq workqueue had been destroyed before nci_close_device() was called via rfkill. This occurs because nci_unregister_device() destroys nci_dev.cmd_wq first and then calls nfc_unregister_device(), which removes the device from rfkill via rfkill_unregister(). This ordering allows the device to remain visible via rfkill even after the workqueue has been destroyed.
Critical Impact
This race condition can cause kernel warnings, potential system instability, and may lead to denial of service conditions when NFC devices are being unregistered while rfkill operations are in progress.
Affected Products
- Linux Kernel (NFC NCI subsystem)
- Systems with virtual NCI device support
- Linux distributions using affected kernel versions with NFC functionality enabled
Discovery Timeline
- February 14, 2026 - CVE-2026-23167 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23167
Vulnerability Analysis
This vulnerability represents a classic race condition pattern in kernel device management. The root of the problem lies in the cleanup sequence within nci_unregister_device(). When a virtual NCI device file descriptor is closed (for example, through virtual_ncidev_close()), the function destroys nci_dev.cmd_wq before unregistering the device from the rfkill subsystem.
The race window exists because another thread can still access the device through rfkill interfaces (via rfkill_fop_write()) after the workqueue has been destroyed but before rfkill_unregister() is called. When this happens, nci_close_device() attempts to flush the already-destroyed workqueue, triggering kernel warnings and potential crashes.
The kernel stack trace from syzkaller demonstrates this issue clearly, showing the call path from rfkill_fop_write() through nfc_rfkill_set_block() to nci_close_device(), where __flush_workqueue() is called on the destroyed cmd_wq.
Root Cause
The vulnerability stems from incorrect ordering of cleanup operations in the NCI device unregistration path. The nci_unregister_device() function performs the following sequence:
- Destroys nci_dev.cmd_wq workqueue
- Calls nfc_unregister_device() which eventually calls rfkill_unregister()
This ordering is problematic because the device remains accessible via rfkill after step 1, creating a window where rfkill operations can attempt to use the destroyed workqueue.
The fix involves splitting nfc_unregister_device() into two functions to properly sequence the cleanup. The rfkill interfaces must be removed first, before destroying the workqueue. However, this reordering is constrained by the fact that nfc_unregister_device() calls device_del() which frees memory allocated by devm_kzalloc() and linked to ndev->conn_info_list, which could still be accessed by nci_rx_work().
Attack Vector
The vulnerability can be triggered through concurrent operations involving:
- Opening a virtual NCI device file descriptor
- Initiating rfkill operations on the NFC device
- Closing the virtual NCI device file descriptor while rfkill operations are in progress
This creates a race condition where the rfkill write operation attempts to bring the device down (nfc_dev_down() → nci_dev_down() → nci_close_device()) while another thread is unregistering the device and destroying its workqueue.
The attack requires local access to the system with the ability to open NFC device file descriptors and interact with rfkill interfaces. The vulnerability was discovered through fuzzing with syzkaller, demonstrating that it can be triggered through specific timing of system calls.
Detection Methods for CVE-2026-23167
Indicators of Compromise
- Kernel warnings containing DEBUG_LOCKS_WARN_ON(1) in lockdep output
- Stack traces showing __flush_workqueue being called from nci_close_device()
- Kernel log messages referencing hlock_class or check_wait_context warnings
- System instability or crashes during NFC device operations
Detection Strategies
- Monitor kernel logs for lockdep warnings related to NFC/NCI subsystem operations
- Configure kernel with CONFIG_LOCKDEP=y to enable lock dependency checking
- Use kernel tracing tools to monitor nci_unregister_device() and nfc_rfkill_set_block() function calls
- Deploy SentinelOne Singularity Platform for real-time kernel anomaly detection
Monitoring Recommendations
- Enable kernel auditing for NFC device file descriptor operations
- Monitor for unusual patterns of rfkill operations coinciding with device closures
- Set up alerts for kernel oops or warnings in the NFC subsystem
- Track virtual NCI device usage through process monitoring
How to Mitigate CVE-2026-23167
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches
- If patching is not immediately possible, consider disabling NFC functionality if not required
- Monitor systems for kernel warnings related to NFC operations
- Restrict access to NFC device interfaces to trusted users only
Patch Information
Multiple patches have been released to address this vulnerability across different Linux kernel stable branches. The fix involves reordering the cleanup sequence in nci_unregister_device() to unregister rfkill interfaces before destroying the workqueue.
Available patches:
- Linux Kernel Commit 126cd30
- Linux Kernel Commit 546eba0
- Linux Kernel Commit 8ea4d96
- Linux Kernel Commit c3369fc
- Linux Kernel Commit cd4412d
- Linux Kernel Commit d249268
- Linux Kernel Commit eaa5da5
Workarounds
- Disable NFC kernel modules using modprobe -r nci and modprobe -r nfc if NFC functionality is not required
- Block access to /dev/virtual_ncidev and related NFC device nodes through permissions
- Use rfkill to persistently block NFC devices: rfkill block nfc
- Implement SELinux or AppArmor policies to restrict NFC device access
# Disable NFC modules if not needed
echo "blacklist nci" >> /etc/modprobe.d/blacklist-nfc.conf
echo "blacklist nfc" >> /etc/modprobe.d/blacklist-nfc.conf
update-initramfs -u
# Block NFC via rfkill
rfkill block nfc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
