CVE-2026-23114 Overview
A vulnerability has been identified in the Linux kernel's arm64/fpsimd subsystem affecting ptrace operations for Scalable Vector Extension (SVE) registers. When SVE is supported but Scalable Matrix Extension (SME) is not supported, a ptrace write to the NT_ARM_SVE regset can place the tracee into an invalid state where non-streaming SVE register data is stored in FP_STATE_SVE format while the TIF_SVE flag is clear.
Critical Impact
This vulnerability can trigger kernel warnings and place traced processes into an inconsistent FPSIMD/SVE state, potentially affecting debugging operations and system stability on ARM64 systems with SVE but without SME support.
Affected Products
- Linux kernel with ARM64 architecture support
- Systems with SVE (Scalable Vector Extension) enabled
- Systems without SME (Scalable Matrix Extension) support
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23114 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23114
Vulnerability Analysis
This vulnerability affects the Linux kernel's handling of ARM64 floating-point and vector register state during ptrace operations. The issue manifests when a debugger writes to the NT_ARM_SVE regset on systems where SVE is available but SME is not.
The bug was introduced during a code refactoring effort in commit 9f8bf718f2923 ("arm64/fpsimd: ptrace: Gracefully handle errors"), where the logic to set the TIF_SVE flag was inadvertently moved into a conditional block that only executes when system_supports_sme() returns true. This means on systems without SME support, the TIF_SVE flag is never set during SVE regset writes, leaving the tracee in an inconsistent state.
When fpsimd_restore_current_state() is subsequently called, it detects the state mismatch and issues a kernel warning before correcting the state by setting TIF_SVE. While the kernel self-corrects this condition before any other code can observe the invalid state, the warning indicates improper state management that should be addressed.
Root Cause
The root cause is a regression introduced in commit 9f8bf718f2923 where the TIF_SVE flag setting was incorrectly guarded by a system_supports_sme() check. This conditional was appropriate for SME-specific logic but was erroneously applied to the generic SVE flag manipulation, breaking the code path for SVE-only systems.
The fix removes the system_supports_sme() check, ensuring TIF_SVE is unconditionally set for SVE-formatted writes to NT_ARM_SVE. The manipulation of the svcr value is benign on non-SME systems and follows existing patterns used elsewhere in the kernel (such as during signal handling).
Attack Vector
The vulnerability requires local access and the ability to use ptrace to debug a process on an affected ARM64 system. An attacker or user with appropriate privileges could trigger this condition by:
- Attaching to a target process via ptrace on an ARM64 system with SVE but without SME
- Writing to the NT_ARM_SVE regset using PTRACE_SETREGSET
- Allowing the tracee to resume execution, triggering the state restoration warning
The vulnerability is primarily a stability and correctness issue rather than a security exploitation vector. The kernel self-corrects before any observable impact occurs, limiting the practical consequences to spurious warning messages in the kernel log.
Detection Methods for CVE-2026-23114
Indicators of Compromise
- Kernel warning messages from fpsimd_restore_current_state() at arch/arm64/kernel/fpsimd.c:383
- Warning messages indicating PID and CPU related to FPSIMD state restoration
- Unusual ptrace activity targeting SVE regsets on ARM64 systems
Detection Strategies
- Monitor kernel logs for warnings containing fpsimd_restore_current_state and the specific line number reference
- Audit ptrace system calls targeting NT_ARM_SVE regsets using system call auditing frameworks
- Deploy kernel tracing (ftrace/eBPF) to monitor access to SVE register state functions
Monitoring Recommendations
- Enable kernel log monitoring for WARNING level messages from the fpsimd.c source file
- Implement process monitoring to detect unusual debugger attachment patterns
- Review ARM64 system configurations to identify systems running with SVE enabled but SME disabled
How to Mitigate CVE-2026-23114
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Review affected ARM64 systems running kernel versions with commit 9f8bf718f2923 applied but without the fix
- Monitor system logs for evidence of the vulnerability being triggered
Patch Information
The fix has been committed to the stable kernel tree. The patch removes the unnecessary system_supports_sme() check, ensuring that TIF_SVE is properly set for all SVE regset writes regardless of SME support status. The relevant commits are available:
- Kernel Git Commit 128a7494a9f15aad60cc6b7e3546bf481ac54a13
- Kernel Git Commit 4f39984176e7edcaba3432b6c649c6fe93bf2f80
Workarounds
- Limit ptrace access to trusted users and processes using appropriate security modules (SELinux, AppArmor)
- Disable SVE on affected systems if not required for application workloads (though this impacts performance)
- Restrict debugging capabilities using kernel security features like kernel.yama.ptrace_scope
# Configuration example
# Restrict ptrace access to improve security posture
echo 2 > /proc/sys/kernel/yama/ptrace_scope
# Verify SVE and SME support status on ARM64 systems
cat /proc/cpuinfo | grep -E "(sve|sme)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
