Skip to main content

Linux CVE-2026-23248

| EUVDEUVD-2026-12811 HIGH
Use After Free (CWE-416)
2026-03-18 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 10:30 euvd
EUVD-2026-12811
Analysis Generated
Mar 18, 2026 - 10:30 vuln.today
CVE Published
Mar 18, 2026 - 10:05 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix refcount bug and potential UAF in perf_mmap

Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap.

The issue is caused by a race condition between a failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection).

In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range().

If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning.

Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer.

AnalysisAI

A race condition in the Linux kernel's perf_mmap() function creates a use-after-free vulnerability when concurrent threads attempt to access a ring buffer during failed memory mapping operations. The vulnerability affects Linux kernel versions across 6.18.17, 6.19.7, and 7.0-rc2, allowing a local attacker with standard user privileges to trigger refcount saturation warnings and potential kernel crashes via denial of service. This issue was discovered by Syzkaller fuzzing and has patches available across multiple stable kernel branches.

Technical ContextAI

The vulnerability resides in the perf (performance monitoring) subsystem of the Linux kernel, specifically in the perf_mmap() function which manages ring buffer creation for performance event monitoring. The perf subsystem (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is a core kernel component responsible for collecting hardware and software performance counters. The root cause is classified as a race condition (CWE-362) combined with use-after-free (CWE-416) and refcount management failure. The vulnerability stems from improper mutex locking scope: the mmap_mutex protecting the ring buffer allocation (event->rb) is released before calling map_range(), creating a window where concurrent threads can observe a valid event->rb pointer and attempt to increment its refcount. If the original thread's cleanup path (perf_mmap_close) has already decremented the refcount to zero, subsequent refcount increment attempts trigger use-after-free or refcount_t saturation warnings in the kernel. The fix extends mmap_mutex scope to cover map_range() atomically, preventing other threads from accessing the half-initialized ring buffer.

RemediationAI

Apply the Linux kernel security patch immediately by upgrading to patched versions: Linux 6.18.17 or later, 6.19.7 or later, or 7.0-rc2 or later. Consult your distribution's security advisory for specific package versions and apply via standard package management (apt, yum, dnf, zypper, etc.). For systems unable to patch immediately, reduce risk by restricting local user access and limiting process isolation scope (disable unprivileged namespaces if not required). Implement resource quotas to prevent rapid exploitation attempts that could cause cascading system failures. Monitor kernel logs for refcount_t warnings or perf subsystem errors (dmesg | grep -i 'refcount\|perf'). Prioritize patching for multi-user systems, container hosts, and cloud infrastructure where local user interaction is expected. See kernel commit fixes at https://git.kernel.org/stable/c/c27dea9f50ed525facb62ef647dddc4722456e07, https://git.kernel.org/stable/c/ac7ecb65af170a7fc193e7bd8be15dac84ec6a56, and https://git.kernel.org/stable/c/77de62ad3de3967818c3dbe656b7336ebee461d2.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy