Skip to main content

Linux Kernel CVE-2026-46272

| EUVDEUVD-2026-34134 MEDIUM
Race Condition (CWE-362)
2026-06-03 Linux GHSA-v558-wf7v-xc9h
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 20:22 vuln.today
CVSS changed
Jun 09, 2026 - 20:07 NVD
4.7 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

coresight: tmc-etr: Fix race condition between sysfs and perf mode

When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes:

WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]---

Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode.

mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock)

With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode.

AnalysisAI

Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.

Technical ContextAI

The affected component is the CoreSight TMC-ETR driver at drivers/hwtracing/coresight/coresight-tmc-etr.c in the Linux kernel (CPE: cpe:2.3:a:linux:linux). CoreSight is an ARM hardware tracing infrastructure; the ETR (Embedded Trace Router) is a trace sink component that stores trace data in system memory. The driver exposes two parallel tracing interfaces: a sysfs-controlled mode and a perf-subsystem-controlled mode, both sharing drvdata->spinlock for mutual exclusion. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) precisely describes the root cause: the sysfs enable path executes two separate lock/unlock cycles - one in tmc_etr_get_sysfs_buffer() for buffer allocation and one in tmc_enable_etr_sink() for hardware enablement - leaving an unprotected window between them. The fix introduces a CS_MODE_PERF re-check before hardware enablement in the sysfs path, collapsing the two-phase vulnerability into a single, guarded operation and avoiding unnecessary buffer allocation when perf mode is already active.

RemediationAI

The primary fix is to upgrade to Linux kernel 6.18.14, 6.19.4, or 7.0, which include the corrective commits. The upstream stable patches are available at https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c, https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53, and https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab. Distribution-specific kernel updates from vendors such as Red Hat, Ubuntu, or SUSE should be monitored and applied as released. As a workaround on unpatched systems, ensuring that CoreSight sysfs tracing and perf-based CoreSight tracing are never initiated concurrently will prevent the race from triggering; this may be enforced via access controls on /sys/bus/coresight paths or by restricting perf_event_open() capabilities (e.g., setting kernel.perf_event_paranoid=3). Systems that do not utilize ARM CoreSight hardware tracing are unaffected and require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-46272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy