Vulnerabilidad en Linux (CVE-2026-23150)
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
14/02/2026
Última modificación:
18/02/2026
Descripción
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:<br />
<br />
nfc: llcp: Corrección de fuga de memoria en nfc_llcp_send_ui_frame().<br />
<br />
syzbot informó de varias fugas de memoria relacionadas con NFC, struct<br />
nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]<br />
<br />
El registro principal sugirió que nfc_llcp_send_ui_frame() falló<br />
al asignar skb debido a que sock_error(sk) era -ENXIO.<br />
<br />
ENXIO es establecido por nfc_llcp_socket_release() cuando struct<br />
nfc_llcp_local es destruido por local_cleanup().<br />
<br />
El problema es que no hay sincronización entre<br />
nfc_llcp_send_ui_frame() y local_cleanup(), y skb<br />
podría ser puesto en local-&gt;tx_queue después de que fuera purgado en<br />
local_cleanup():<br />
<br />
CPU1 CPU2<br />
---- ----<br />
nfc_llcp_send_ui_frame() local_cleanup()<br />
|- do { &#39;<br />
|- pdu = nfc_alloc_send_skb(..., &amp;err)<br />
| .<br />
| |- nfc_llcp_socket_release(local, false, ENXIO);<br />
| |- skb_queue_purge(&amp;local-&gt;tx_queue); |<br />
| &#39; |<br />
|- skb_queue_tail(&amp;local-&gt;tx_queue, pdu); |<br />
... |<br />
|- pdu = nfc_alloc_send_skb(..., &amp;err) |<br />
^._________________________________.&#39;<br />
<br />
local_cleanup() es llamado para struct nfc_llcp_local solo<br />
después de que nfc_llcp_remove_local() lo desvincula de llcp_devices.<br />
<br />
Si mantenemos local-&gt;tx_queue.lock entonces, podemos sincronizar<br />
el hilo y nfc_llcp_send_ui_frame().<br />
<br />
Hagamos eso y verifiquemos list_empty(&amp;local-&gt;list) antes<br />
de encolar skb en local-&gt;tx_queue en nfc_llcp_send_ui_frame().<br />
<br />
[0]:<br />
[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)<br />
[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)<br />
BUG: memory leak<br />
unreferenced object 0xffff8881272f6800 (size 1024):<br />
comm &#39;syz.0.17&#39;, pid 6096, jiffies 4294942766<br />
hex dump (first 32 bytes):<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 &#39;..@............<br />
backtrace (crc da58d84d):<br />
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]<br />
slab_post_alloc_hook mm/slub.c:4979 [inline]<br />
slab_alloc_node mm/slub.c:5284 [inline]<br />
__do_kmalloc_node mm/slub.c:5645 [inline]<br />
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658<br />
kmalloc_noprof include/linux/slab.h:961 [inline]<br />
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239<br />
sk_alloc+0x36/0x360 net/core/sock.c:2295<br />
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979<br />
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044<br />
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31<br />
__sock_create+0x1a9/0x340 net/socket.c:1605<br />
sock_create net/socket.c:1663 [inline]<br />
__sys_socket_create net/socket.c:1700 [inline]<br />
__sys_socket+0xb9/0x1a0 net/socket.c:1747<br />
__do_sys_socket net/socket.c:1761 [inline]<br />
__se_sys_socket net/socket.c:1759 [inline]<br />
__x64_sys_socket+0x1b/0x30 net/socket.c:1759<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
BUG: memory leak<br />
unreferenced object 0xffff88810fbd9800 (size 240):<br />
comm &#39;syz.0.17&#39;, pid 6096, jiffies 4294942850<br />
hex dump (first 32 bytes):<br />
68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......<br />
00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/&#39;....<br />
backtrace (crc 6cc652b1):<br />
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]<br />
slab_post_alloc_hook mm/slub.c:4979 [inline]<br />
slab_alloc_node mm/slub.c:5284 [inline]<br />
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336<br />
__alloc_skb+0x203/0x240 net/core/skbuff.c:660<br />
alloc_skb include/linux/skbuff.h:1383 [inline]<br />
alloc_skb_with_frags+0x69/0x3f0 net/core/sk<br />
---truncated---
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709
- https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5
- https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339
- https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc
- https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f
- https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a
- https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6