A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23107

CVE-2026-23107: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23107 is a use-after-free flaw in the Linux kernel's arm64/fpsimd signal handling that can cause NULL pointer dereference. This article covers the technical details, affected versions, impact, and mitigation.

Published: February 6, 2026

CVE-2026-23107 Overview

CVE-2026-23107 is a Null Pointer Dereference vulnerability in the Linux kernel's ARM64 FPSIMD (Floating-Point SIMD) subsystem, specifically affecting the signal handling code for the Scalable Matrix Extension (SME) ZA context restoration. The vulnerability occurs when the restore_za_context() function fails to allocate the task's sve_state before setting the TIF_SME flag, potentially placing a task into an invalid state.

This issue is particularly relevant for systems using checkpoint/restore functionality (such as CRIU) where the ZA signal context may not have been created by the kernel in the same task context. In these scenarios, userspace can enter streaming mode without trapping while sve_state is NULL, leading to a kernel panic when the kernel later attempts to store the register state.

Critical Impact

Local users can trigger a kernel NULL pointer dereference causing a system crash (denial of service) when restoring ZA signal contexts on ARM64 systems with SME support.

Affected Products

  • Linux kernel with ARM64 architecture support
  • Systems with Scalable Matrix Extension (SME) enabled
  • Linux kernel versions prior to the security patches

Discovery Timeline

  • February 4, 2026 - CVE-2026-23107 published to NVD
  • February 5, 2026 - Last updated in NVD database

Technical Details for CVE-2026-23107

Vulnerability Analysis

The vulnerability resides in the ARM64 kernel's signal handling subsystem, specifically within the restore_za_context() function. When a ZA (Scalable Matrix Extension Array) context is restored from a signal frame, the code sets the TIF_SME thread info flag without first ensuring that the task's sve_state buffer has been allocated.

Under normal operation, the sve_state allocation would have occurred previously through standard kernel mechanisms. However, in legitimate but uncommon scenarios—such as when a process is saved and restored using CRIU (Checkpoint/Restore In Userspace)—the ZA signal context may have been created in a different task context. This means there is no guarantee that sve_state was ever allocated for the current task.

When userspace subsequently enters streaming mode, the kernel does not trap because TIF_SME is already set. Later, when a context switch occurs and the kernel attempts to save the SVE/SSVE register state via sve_save_state(), it dereferences the NULL sve_state pointer, causing a kernel oops.

Root Cause

The root cause is a missing allocation check in the restore_za_context() function. The code unconditionally sets TIF_SME without verifying or ensuring that the associated sve_state storage has been allocated. This creates a race condition between the flag being set and the actual memory being available.

The fix ensures that restore_za_context() allocates the task's sve_state before proceeding, matching the behavior used when handling SME traps. Importantly, the fix must preserve any live SVE/SSVE state that was restored earlier from a separate signal context, so the allocation cannot simply zero the buffer.

Attack Vector

The vulnerability can be triggered locally by a user with the ability to manipulate signal frames or use checkpoint/restore utilities. The attack requires:

  1. An ARM64 system with SME (Scalable Matrix Extension) support
  2. The ability to create or restore a process with a crafted ZA signal context
  3. Triggering a context switch after entering streaming mode

The kernel crash trace shows the failure occurring in sve_save_state() called from fpsimd_thread_switch() during a context switch, with the program counter at offset +0x4 indicating the NULL pointer dereference happens at the very beginning of the state save operation.

Detection Methods for CVE-2026-23107

Indicators of Compromise

  • Kernel oops messages containing "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000"
  • Crash traces showing sve_save_state and fpsimd_thread_switch in the call stack
  • System instability or crashes when using CRIU or similar checkpoint/restore tools on ARM64 SME-enabled systems
  • Kernel logs showing ESR value 0x0000000096000046 with EC=0x25 (DABT at current EL)

Detection Strategies

  • Monitor kernel logs for NULL pointer dereference events in the FPSIMD/SVE subsystem
  • Implement crash dump analysis to identify sve_save_state related crashes
  • Enable kernel tracing on fpsimd_thread_switch and restore_za_context functions to detect suspicious activity
  • Monitor for unusual patterns of signal frame manipulation in userspace processes

Monitoring Recommendations

  • Configure kernel crash dump collection (kdump) to capture full crash context for analysis
  • Set up automated alerting for kernel oops events on ARM64 systems with SME support
  • Monitor CRIU and checkpoint/restore operations for failures related to SME context
  • Review audit logs for processes attempting to manipulate signal frames

How to Mitigate CVE-2026-23107

Immediate Actions Required

  • Apply the kernel patches from the official kernel git repository immediately
  • Restrict access to checkpoint/restore tools (CRIU) to trusted users only
  • Consider temporarily disabling SME support if not required for production workloads
  • Monitor system stability and kernel logs for any crash events

Patch Information

The Linux kernel maintainers have released patches to address this vulnerability. The fix modifies restore_za_context() to ensure the task's sve_state is properly allocated before setting TIF_SME, matching the behavior used when handling SME traps. Multiple patch commits are available:

  • Kernel Git Commit 0af233d
  • Kernel Git Commit 19b2c3f
  • Kernel Git Commit 70f7f54
  • Kernel Git Commit ea8ccfd

Workarounds

  • Disable SME support at boot time using kernel command line parameters if the feature is not required
  • Restrict checkpoint/restore operations to trusted administrative contexts only
  • Implement access controls to prevent untrusted users from manipulating signal frames
  • Consider using kernel live patching solutions if immediate reboot is not feasible
bash
# Disable SME at boot time (add to kernel command line)
arm64.nosme=1

# Restrict CRIU capabilities to trusted users
chmod 700 /usr/sbin/criu
chown root:root /usr/sbin/criu

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Log 1
  • Kernel Git Commit Log 2
  • Kernel Git Commit Log 3
  • Kernel Git Commit Log 4
  • Related CVEs
  • CVE-2026-23227: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23224: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23098: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23056: Linux Kernel Use-After-Free Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use