CVE-2026-46267 Overview
CVE-2026-46267 is a use-after-free vulnerability in the Linux kernel's Near Field Communication (NFC) Host Controller Interface (HCI) Simplified High-Level Data Link Control (SHDLC) implementation. The flaw resides in llc_shdlc_deinit(), which purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues concurrently with teardown. The issue was reported by the Linux Verification Center (linuxtesting.org) using the SVACE static analysis tool.
Critical Impact
Concurrent execution of SHDLC timers or sm_work with context teardown can dereference freed memory, leading to use-after-free conditions and shutdown races in kernel space.
Affected Products
- Linux kernel — NFC HCI SHDLC subsystem (net/nfc/hci/llc_shdlc.c)
- Stable kernel branches referenced in the upstream commits
- Distributions shipping unpatched Linux kernels with NFC HCI enabled
Discovery Timeline
- 2026-06-03 - CVE-2026-46267 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46267
Vulnerability Analysis
The Linux kernel's NFC stack implements SHDLC as a link-layer protocol between the host and the NFC controller. The SHDLC layer maintains a state machine driven by sm_work and several timers governing acknowledgements, connection, and retransmission events. llc_shdlc_deinit() is responsible for tearing down this context when an NFC device is removed or reinitialized.
The defect lies in the teardown ordering. llc_shdlc_deinit() purges the receive and transmit skb queues and frees the llc_shdlc structure without first stopping the SHDLC timers or cancelling sm_work synchronously. Any pending timer can still fire and schedule sm_work, and an in-flight sm_work instance can dereference state that has already been freed.
The fix stops all SHDLC timers and cancels sm_work synchronously before purging the queues and freeing the context, closing the window in which freed memory can be accessed.
Root Cause
The root cause is improper teardown sequencing in the SHDLC deinitialization path. Asynchronous timers and workqueue items retain references to a context that the cleanup routine releases prematurely, producing a classic use-after-free condition.
Attack Vector
Triggering the race requires inducing teardown of the SHDLC link while timer-driven state machine work is queued or running. This typically demands local interaction with an NFC adapter exercising the HCI SHDLC path. Exploitation difficulty depends on the timing window and the attacker's ability to influence NFC driver lifecycle events.
No verified public exploit code is available. See the upstream commits referenced under Linux Kernel Change Log for the corrective patch.
Detection Methods for CVE-2026-46267
Indicators of Compromise
- Kernel oops or panic traces referencing llc_shdlc_sm_work, llc_shdlc_deinit, or NFC HCI symbols during device removal
- KASAN reports indicating use-after-free in net/nfc/hci/llc_shdlc.c
- Unexpected NFC subsystem crashes coinciding with adapter hot-unplug or driver unload
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test kernels to surface use-after-free conditions in the NFC HCI path
- Audit installed kernel versions against the fixed commits listed in the upstream change logs
- Review dmesg and persistent kernel logs for SHDLC-related warnings during NFC initialization and teardown
Monitoring Recommendations
- Collect kernel crash dumps and forward them to a central log pipeline for analysis
- Monitor for repeated NFC driver reloads or device resets that could be used to time the race
- Track package inventory to confirm timely deployment of kernel security updates across Linux fleets
How to Mitigate CVE-2026-46267
Immediate Actions Required
- Update to a Linux kernel that includes the SHDLC teardown ordering fix from the referenced stable commits
- Restrict physical and local access to systems with NFC hardware where patching is delayed
- Disable the NFC subsystem on hosts that do not require it, removing the attack surface entirely
Patch Information
The upstream fix stops all SHDLC timers and cancels sm_work synchronously before purging the skb queues and freeing the llc_shdlc structure. Corrective commits are published across stable branches including 1cb97b1225450af3f7b728777929ba50c6a58ced, 276820278e9717cc7d4bb32381892dd3ddf418d4, 77eef9f2eef045c3c37a3df82d3e661afb866b98, a24a676329d40481b2331bfa1418a679577dfd3a, c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e, c9efde1e537baed7648a94022b43836a348a074f, and cf70cedce327833296ebe6043364d1e44b76a2ab. See the Linux Kernel Change Log for details.
Workarounds
- Unload the nfc and associated HCI driver modules on systems that do not use NFC functionality
- Blacklist NFC kernel modules through /etc/modprobe.d/ configuration to prevent automatic loading
- Limit access to user accounts and processes capable of interacting with NFC device nodes
# Configuration example: disable NFC HCI modules until the kernel is patched
echo 'blacklist nfc' | sudo tee /etc/modprobe.d/disable-nfc.conf
echo 'blacklist nfc_hci' | sudo tee -a /etc/modprobe.d/disable-nfc.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
