CVE-2023-53023

CVE-2023-53023 is a use-after-free vulnerability in the Linux kernel's NFC subsystem, specifically within the LLCP (Logical Link Control Protocol) implementation in net/nfc/llcp_core.c. The issue arises in the local_cleanup() function, where local->rx_pending is freed via kfree_skb() during NFC device detachment via nfc_llcp_unregister_device(). A subsequent call to local_cleanup() from local_release()—triggered by NFC daemon termination, such as killing neard—attempts to free the same skb again, leading to the use-after-free. This was detected by KASAN during fuzzing with a modified syzkaller, manifesting as a crash in kfree_skb().

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by detaching an NFC device and then terminating the NFC daemon process, such as neard. The attack requires local access to a system with an NFC device driver loaded, like pn533_usb. Successful exploitation of the use-after-free (CWE-416) could result in high confidentiality, integrity, and availability impacts (CVSS 7.8), potentially allowing kernel memory corruption, arbitrary code execution, or system denial of service.

Kernel patches addressing this issue are available in multiple stable branches via the referenced commits, which modify local_cleanup() to set local->rx_pending to NULL after freeing, preventing the double-free when the function is invoked multiple times. Security practitioners should update affected Linux kernels to incorporate these fixes, particularly on systems utilizing NFC functionality.