CVE-2026-46267

HIGH EPSS 2.2%
Published Jun 3, 20263w ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Jun 3, 2026 3w ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥3.7  –  <5.15.202
linuxlinux_kernel*≥5.16  –  <6.1.165
linuxlinux_kernel*≥6.2  –  <6.6.128
linuxlinux_kernel*≥6.7  –  <6.12.75
linuxlinux_kernel*≥6.13  –  <6.18.14
linuxlinux_kernel*≥6.19  –  <6.19.4

References 7

  • git.kernel.org https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab
    Patch