CVE-2026-23372
Published: 25 March 2026
Summary
CVE-2026-23372 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23372 is a race condition vulnerability in the Linux kernel's NFC rawsock component. The issue arises during socket teardown in rawsock_release(), where pending tx_work on the system workqueue can race with socket and device teardown, such as when a process is killed by SIGKILL. This leads to use-after-free errors or leaked references, as tx_work calls nfc_data_exchange which dereferences the NCI device without proper synchronization. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering the race condition during socket operations and process termination. Successful exploitation could result in arbitrary code execution, data corruption, or denial of service due to the high impacts on confidentiality, integrity, and availability from the use-after-free.
The provided patch references from kernel.org stable branches detail the mitigation, which involves canceling pending tx_work and purging the write queue before orphaning the socket. Specifically, the fix sets the SEND_SHUTDOWN flag first to prevent transmission if tx_work is running, uses cancel_work_sync to wait for in-progress execution to complete, and then purges any remaining queued skbs. Affected systems should apply these stable kernel commits to resolve the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15359
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls…
more
nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition directly enables privilege escalation via exploitation for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of the kernel patch directly resolves the race condition by synchronizing tx_work cancellation and purging during NFC rawsock socket teardown.
Memory protection mechanisms such as address space randomization and execution restrictions mitigate exploitation of the use-after-free vulnerability in the kernel.
Vulnerability scanning identifies the kernel CVE in NFC rawsock, enabling detection and prioritization for remediation.