CVE-2026-23102 Overview
A vulnerability has been identified in the Linux kernel's arm64/fpsimd subsystem affecting the restoration of SVE (Scalable Vector Extension) signal context. When SME (Scalable Matrix Extension) is supported, restoring SVE signal context can result in placing tasks into an invalid state where the kernel may read from out-of-bounds memory, potentially causing fatal faults or terminating tasks with SIGKILL.
Critical Impact
This vulnerability can lead to out-of-bounds memory reads in the kernel, potential information exposure via SVE registers, and unexpected task termination through SIGKILL signals.
Affected Products
- Linux kernel with arm64 architecture support
- Systems with SME (Scalable Matrix Extension) support
- Linux kernel versions prior to the security patches
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23102 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23102
Vulnerability Analysis
The vulnerability exists in the Linux kernel's handling of SVE signal context restoration on arm64 systems with SME support. Two distinct failure scenarios have been identified:
Scenario 1 - TIF_SME Flag Inconsistency: When restoring a context with SVE_SIG_FLAG_SM set, the task can be placed into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear. This inconsistent state occurs during legitimate operations such as signal context modification by userspace or context restoration from another task (e.g., CRIU checkpointing).
In this invalid state, task_fpsimd_load() fails to properly configure SMCR_ELx, leaving an arbitrary value in hardware. When SVCR is restored and sve_load_state() attempts to restore streaming mode SVE registers, the misconfigured SMCR_ELx.LEN value may exceed the task's actual streaming SVE vector length, causing reads beyond the allocated sve_state buffer.
Scenario 2 - SVCR.SM Not Cleared: When restoring a context with SVE_SIG_FLAG_SM clear, the task's SVCR.SM is not properly cleared. If SVCR.SM was previously set (via ptrace after sigreturn syscall entry), the task remains unexpectedly in streaming mode with inconsistently combined register state.
Root Cause
The root cause is improper state management during SVE signal context restoration. The kernel fails to:
- Set TIF_SME when setting SVCR.SM, which is required to ensure proper SMCR_ELx configuration
- Allocate the task's sme_state before manipulating streaming mode state
- Clear SVCR.SM when restoring SVE signal context with SVE_SIG_FLAG_SM clear
The fix involves reordering the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type to occur immediately after sve_state/sme_state allocation, before actual register state restoration.
Attack Vector
The vulnerability can be triggered through legitimate but unusual operations:
The first scenario requires either userspace modification of the SVE signal context or restoration of signal context saved from another task (such as during CRIU checkpoint/restore operations). An attacker with local access could craft malicious signal contexts or manipulate checkpoint data to trigger the invalid state.
The second scenario requires ptrace access to set SVCR.SM after entry to the sigreturn syscall, which requires elevated privileges or debugging capabilities.
While secrets may temporarily be loaded into streaming SVE registers during exploitation, the kernel's protection mechanisms prevent direct exposure: CPACR_ELx.SMEN is configured to trap EL0 accesses when TIF_SME is clear, and fpsimd_save_user_state() validates vector lengths before saving state to memory.
Detection Methods for CVE-2026-23102
Indicators of Compromise
- Unexpected SIGKILL signals sent to processes on arm64 systems with SME support
- Kernel oops or faults related to fpsimd, sve_load_state, or task_fpsimd_load functions
- Processes unexpectedly entering streaming SVE mode
Detection Strategies
- Monitor kernel logs for errors related to arm64 FPSIMD/SVE subsystem operations
- Track processes receiving unexpected fatal signals during signal handling operations
- Audit ptrace operations targeting SVCR register modifications during sigreturn syscalls
Monitoring Recommendations
- Enable enhanced kernel logging for arm64 signal handling subsystems
- Monitor for anomalous CRIU checkpoint/restore activity that could exploit signal context restoration
- Implement system call auditing for sigreturn operations on affected arm64 systems
How to Mitigate CVE-2026-23102
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository
- Prioritize patching systems with SME-capable arm64 processors
- Review and audit applications using CRIU or similar checkpoint/restore mechanisms
Patch Information
The vulnerability has been addressed through patches available in the Linux kernel git repository. The fix reorders state manipulation to occur immediately after sve_state/sme_state allocation, ensuring consistent handling of SVCR, TIF_SVE, TIF_SME, and fp_type flags.
The following commits address this vulnerability:
- Commit 7b5a52cf252a0d2e89787b645290ad288878f332 - Available via Kernel Git Commit Reference
- Commit d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 - Available via Kernel Git Commit Reference
Workarounds
- Restrict ptrace access to trusted debugging contexts only
- Limit the use of CRIU or similar checkpoint/restore tools on affected systems until patches are applied
- Consider disabling SME features if not required for workload functionality
# Check current kernel version and SME support status
uname -r
cat /proc/cpuinfo | grep -i sme
# Apply kernel updates (distribution-specific)
# For Debian/Ubuntu:
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# For RHEL/CentOS/Fedora:
sudo dnf update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
