Skip to main content

Linux CVE-2026-23309

| EUVDEUVD-2026-15251 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux GHSA-f7v6-c4j6-g8wv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 28, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15251
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

tracing: Add NULL pointer check to trigger_data_free()

If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter.

Fix the problem by adding a NULL pointer check to trigger_data_free().

The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.

Technical ContextAI

The vulnerability resides in the Linux kernel's tracing infrastructure (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically within the event histogram trigger parsing mechanism. The issue manifests when trigger_data_alloc() fails and returns NULL, yet the error handling path in event_hist_trigger_parse() calls trigger_data_free() without verifying the pointer validity. While the standard kfree() function safely handles NULL pointers, the custom trigger_data_free() function attempts to dereference data->cmd_ops->set_filter without a preceding NULL check. This represents a classic CWE-476 (NULL Pointer Dereference) scenario where error path handling is incomplete, allowing a NULL pointer to propagate through the cleanup logic and cause an immediate kernel panic.

RemediationAI

Users should update their Linux kernel to version 6.9.0 or later, or apply the specific backported patches from git.kernel.org/stable using the commit hashes provided in the references (13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e for current development, or the corresponding stable branch commits). System administrators managing long-term support kernels should coordinate with their distribution vendors (Red Hat, Canonical, SUSE, etc.) for stable branch updates. Until patching is feasible, restrict access to the kernel's event tracing subsystem by disabling the CONFIG_TRACE_EVENTS kernel configuration option if not required for operations, and limit local access to the system through account management and network segmentation, as the vulnerability requires local execution context to trigger.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy