Skip to main content

Linux EUVDEUVD-2026-15253

| CVE-2026-23311 MEDIUM
Improper Locking (CWE-667)
2026-03-25 Linux GHSA-h7wr-qv5c-937x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15253
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix invalid wait context in ctx_sched_in()

Lockdep found a bug in the event scheduling when a pinned event was failed and wakes up the threads in the ring buffer like below.

It seems it should not grab a wait-queue lock under perf-context lock. Let's do it with irq_work.

[ 39.913691] ========= [ 39.914157] [ BUG: Invalid wait context ] [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted [ 39.915271] ----------------------------- [ 39.915731] repro/837 is trying to lock: [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60 [ 39.917182] other info that might help us debug this: [ 39.917761] context-{5:5} [ 39.918079] 4 locks held by repro/837: [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0 [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0 [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0 [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470

AnalysisAI

A lockdep-detected invalid wait context vulnerability exists in the Linux kernel's performance event scheduling subsystem, specifically in the ctx_sched_in() function when handling pinned events. The vulnerability affects all Linux kernel versions (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) and arises when the kernel attempts to acquire a wait-queue lock while already holding a perf-context lock, violating lock ordering rules and potentially causing system hangs or crashes. This is a kernel-level synchronization bug that can be triggered by unprivileged users with access to perf event tracing capabilities, though active exploitation in the wild has not been documented.

Technical ContextAI

The vulnerability resides in the Linux kernel's perf/core subsystem, specifically in the performance event scheduling logic (ctx_sched_in function in kernel/events/core.c). The root cause is a lock ordering violation where the code attempts to call __wake_up() on an event's wait queue (event->waitq) while holding multiple higher-level locks: rcu_read_lock, cpuctx_lock, and ctx->lock. According to lockdep validation (a kernel debugging tool that detects deadlock-prone lock patterns), this violates the lock acquisition hierarchy because wait-queue locks should not be acquired under perf-context locks. The fix involves deferring the wake-up operation to irq_work context, which executes outside the problematic lock nesting scenario. This is a synchronization/locking correctness issue rather than a traditional memory safety vulnerability, classified under kernel-level concurrency problems.

RemediationAI

Apply the Linux kernel patches from the stable kernel repository: commit c67ab059953e3b66cb17ddd6524c23f9e1f6526d, 825f218ca70ef394c2b8546b313711d867b24584, or 486ff5ad49bc50315bcaf6d45f04a33ef0a45ced depending on your kernel branch (available at https://git.kernel.org/stable/). Update your Linux kernel to a version that includes one of these commits. For enterprise users, check your distribution's security advisories for backported patches (Red Hat, Canonical, SUSE, etc. typically provide kernel security updates). Until patching is possible, mitigate risk by restricting perf event tracing access via capabilities or SELinux policies, limiting unprivileged perf tool usage, and monitoring system logs for lockdep warnings that may indicate the condition being triggered. For critical systems, consider temporarily disabling performance event tracing if not essential to your workload.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy