Cyber Resilience

CVE-2026-23372

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23372 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23372 is a race condition vulnerability in the Linux kernel's NFC rawsock component. The issue arises during socket teardown in rawsock_release(), where pending tx_work on the system workqueue can race with socket and device teardown, such as when a process is killed by SIGKILL. This leads to use-after-free errors or leaked references, as tx_work calls nfc_data_exchange which dereferences the NCI device without proper synchronization. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the race condition during socket operations and process termination. Successful exploitation could result in arbitrary code execution, data corruption, or denial of service due to the high impacts on confidentiality, integrity, and availability from the use-after-free.

The provided patch references from kernel.org stable branches detail the mitigation, which involves canceling pending tx_work and purging the write queue before orphaning the socket. Specifically, the fix sets the SEND_SHUTDOWN flag first to prevent transmission if tx_work is running, uses cancel_work_sync to wait for in-progress execution to complete, and then purges any remaining queued skbs. Affected systems should apply these stable kernel commits to resolve the issue.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls…

more

nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTDOWN first so that if tx_work is already running it will see the flag and skip transmitting, then use cancel_work_sync to wait for any in-progress execution to finish, and finally purge any remaining queued skbs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition directly enables privilege escalation via exploitation for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.1, 7.0 · 3.1.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of the kernel patch directly resolves the race condition by synchronizing tx_work cancellation and purging during NFC rawsock socket teardown.

prevent

Memory protection mechanisms such as address space randomization and execution restrictions mitigate exploitation of the use-after-free vulnerability in the kernel.

detect

Vulnerability scanning identifies the kernel CVE in NFC rawsock, enabling detection and prioritization for remediation.

References