CVE-2026-23330 — Vulnetix

CVE-2026-23330 PUBLISHED

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc ec2b3c5): __kmalloc_noprof+0x4db/0x730 sk_prot_alloc.isra.0+0xe4/0x1d0 sk_alloc+0x36/0x760 rawsock_create+0xd1/0x540 nfc_sock_create+0x11f/0x280 __sock_create+0x22d/0x630 __sys_socket+0x115/0x1d0 __x64_sys_socket+0x72/0xd0 do_syscall_64+0x117/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

EPSS 0.02% · 3.9th percentile

Risk Scores

EPSS Score

0.02%

3.9th percentile

Affected Products

Vendor	Product	Versions
Linux	Linux	38f04c6b1b682f1879441e2925403ad9aff9e229, 38f04c6b1b682f1879441e2925403ad9aff9e229, 38f04c6b1b682f1879441e2925403ad9aff9e229
linux	linux_kernel	3.2, 3.2, 3.2

Timeline

Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 25, 2026 CVE Published
Mar 29, 2026 Security Advisory
Apr 27, 2026 CVE Updated

References

Open in Interactive Console →