CVE-2026-46267

In the Linux kernel, the following vulnerability has been resolved:

nfc: hci: shdlc: Stop timers and work before freeing context

llc shdlc deinit() purges SHDLC skb queues and frees the llc shdlc structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm work, and sm work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm work synchronously before purging the queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.