CVE-2026-23159
📋 TL;DR
A race condition vulnerability in the Linux kernel's perf subsystem could cause a kernel crash when profiling user tasks. The issue occurs when perf attempts to read memory from a task that's in the process of exiting, leading to a NULL pointer dereference. This affects systems running vulnerable Linux kernel versions with perf enabled.
💻 Affected Systems
- Linux kernel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash or instability when perf tools are actively profiling user tasks during task termination events.
If Mitigated
No impact if perf subsystem is disabled or not actively profiling user tasks.
🎯 Exploit Status
Exploitation requires triggering perf profiling at the exact moment a task is exiting, creating a race condition. This makes reliable exploitation challenging but possible through repeated attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 5aac392fcd3d981d7997f1a0766829e1afdeac2e, 76ed27608f7dd235b727ebbb12163438c2fbb617, a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c, d84a4836dc246b7dc244e46a08ff992956b68db0
Vendor Advisory: https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched commit hashes.
🔧 Temporary Workarounds
Disable perf subsystem
allPrevents the vulnerability by disabling the perf performance monitoring subsystem.
echo 0 > /proc/sys/kernel/perf_event_paranoid
sysctl -w kernel.perf_event_paranoid=3
Restrict perf usage
allLimit perf tool usage to trusted users only.
chmod 750 /usr/bin/perf
setcap cap_sys_admin,cap_sys_ptrace,cap_syslog+ep /usr/bin/perf
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from running perf tools
- Monitor system logs for perf-related crashes and implement automated alerting
🔍 How to Verify
Check if Vulnerable:
Check kernel version and compare with known vulnerable ranges. Examine if perf subsystem is active by checking /proc/sys/kernel/perf_event_paranoid value.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits. Test perf functionality with user task profiling to ensure no crashes occur.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- NULL pointer dereference errors in dmesg
- Perf-related crash reports in system logs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "perf")