Description
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free rx_data_reassembly skb on NCI device cleanup rx_data_reassembly skb is stored during NCI data exchange for processing fragmented packets. It is dropped only when the last fragment is processed or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. However, the NCI device may be deallocated before that which leads to skb leak. As by design the rx_data_reassembly skb is bound to the NCI device and nothing prevents the device to be freed before the skb is processed in some way and cleaned, free it on the NCI device cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References (10)
Scores
CVSS v3
5.5
EPSS
0.0001
EPSS Percentile
0.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-459
Status
published
Products (10)
debian/debian_linux
10.0
linux/Kernel
3.2.0 - 4.19.307linux
linux/Kernel
4.20.0 - 5.4.269linux
linux/Kernel
5.11.0 - 5.15.149linux
linux/Kernel
5.16.0 - 6.1.79linux
linux/Kernel
5.5.0 - 5.10.210linux
linux/Kernel
6.2.0 - 6.6.18linux
linux/Kernel
6.7.0 - 6.7.6linux
linux/linux_kernel
6.8 rc1 (2 CPE variants)
linux/linux_kernel
3.2 - 4.19.307
Published
Apr 17, 2024
Tracked Since
Feb 18, 2026