The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23134

CVE-2026-23134: Linux Kernel Privilege Escalation Flaw

CVE-2026-23134 is a privilege escalation vulnerability in the Linux kernel affecting PREEMPT_RT configurations. This flaw impacts kmalloc_nolock() context checks. This post covers technical details, affected versions, and mitigation.

Published: February 20, 2026

CVE-2026-23134 Overview

A vulnerability has been identified in the Linux kernel's SLAB memory allocator where the kmalloc_nolock() function performs an incomplete context check on PREEMPT_RT (Real-Time) kernels. On these kernels, local_lock becomes a sleeping lock, but the current validation only verifies the execution context is not within NMI or hard IRQ handlers, missing the critical case where preemption is disabled.

When a BPF program executes from a tracepoint with preemption disabled (preempt_count > 0), kmalloc_nolock() proceeds to call local_lock_irqsave(), which attempts to acquire a sleeping lock in an atomic context. This triggers a kernel BUG with the message "sleeping function called from invalid context."

Critical Impact

This vulnerability can cause kernel instability and crashes when BPF programs interact with the SLAB allocator on PREEMPT_RT kernels, potentially leading to denial of service conditions.

Affected Products

  • Linux kernel with PREEMPT_RT configuration enabled
  • Systems running BPF programs from tracepoints with preemption disabled
  • Linux kernel SLAB memory allocator subsystem

Discovery Timeline

  • 2026-02-14 - CVE CVE-2026-23134 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23134

Vulnerability Analysis

The vulnerability exists in the kmalloc_nolock() function within the Linux kernel's SLAB allocator. On standard kernels, local_lock is implemented as a lightweight locking primitive that doesn't sleep. However, on PREEMPT_RT kernels, local_lock is converted to a sleeping lock to support real-time scheduling guarantees.

The existing context check in kmalloc_nolock() validates that the code is not executing in NMI or hard IRQ context, but fails to account for scenarios where preemption is simply disabled (preempt_count > 0). This oversight means that when a BPF program runs from a tracepoint with preemption disabled, the function incorrectly proceeds to acquire the sleeping lock.

The kernel reports this condition with the following diagnostic information:

  • in_atomic(): 1 - indicating atomic context
  • preempt_count: 2 - showing preemption is disabled
  • expected: 0 - the expected preempt_count for a sleeping operation

Root Cause

The root cause is an incomplete predicate in the kmalloc_nolock() context validation logic. The check was designed for non-PREEMPT_RT kernels where local_lock operations don't require sleeping capability. When the kernel is compiled with PREEMPT_RT, the semantics of local_lock_irqsave() change fundamentally, but the context check was not updated to reflect this constraint.

The fix requires checking !preemptible() on PREEMPT_RT kernels, which directly expresses the constraint that sleeping locks cannot be acquired when preemption is disabled. This check encompasses the previous NMI and hard IRQ context validations while also catching preemption-disabled scenarios.

Attack Vector

The vulnerability is triggered through normal kernel operations when the following conditions are met:

  1. The system is running a Linux kernel compiled with PREEMPT_RT support
  2. A BPF program is attached to a tracepoint
  3. The BPF program executes while preemption is disabled (preempt_count > 0)
  4. The BPF program's execution path calls into kmalloc_nolock()

When these conditions align, the kernel attempts to acquire a sleeping lock in an atomic context, resulting in a BUG condition that can crash the system or cause unpredictable behavior. This is primarily a local denial of service vector that requires the ability to load BPF programs on the target system.

Detection Methods for CVE-2026-23134

Indicators of Compromise

  • Kernel panic or BUG messages containing "sleeping function called from invalid context"
  • Kernel log entries showing in_atomic(): 1 with preempt_count values greater than 0
  • System crashes or hangs occurring specifically on PREEMPT_RT kernels
  • BPF program execution failures coinciding with tracepoint activity

Detection Strategies

  • Monitor kernel logs (dmesg, /var/log/kern.log) for "sleeping function called from invalid context" messages
  • Implement kernel crash monitoring to detect BUG conditions in the SLAB allocator subsystem
  • Use SentinelOne's kernel-level visibility to track anomalous memory allocation patterns on PREEMPT_RT systems
  • Deploy monitoring for unexpected system reboots or kernel panics on real-time systems

Monitoring Recommendations

  • Enable kernel debug logging on PREEMPT_RT systems to capture context violation warnings
  • Implement automated alerting for kernel BUG conditions in production environments
  • Monitor BPF program loading and execution on systems with real-time kernel configurations
  • Use crash dump analysis tools to identify SLAB allocator failures in post-mortem analysis

How to Mitigate CVE-2026-23134

Immediate Actions Required

  • Apply the kernel patches provided in the official kernel git commits
  • If patching is not immediately possible, consider temporarily disabling BPF programs that run from tracepoints on affected PREEMPT_RT systems
  • Review and audit BPF programs for tracepoint usage patterns that may trigger this condition
  • Monitor systems for kernel crashes while awaiting patch deployment

Patch Information

The fix has been merged into the stable kernel tree. The patches modify the kmalloc_nolock() function to check !preemptible() on PREEMPT_RT kernels, properly expressing the constraint that sleeping locks cannot be acquired when preemption is disabled.

Official patches are available:

  • Kernel Git Commit 99a3e3a1
  • Kernel Git Commit f60ba4a9

Workarounds

  • Avoid running BPF programs from tracepoints on PREEMPT_RT kernels until the patch is applied
  • Consider using a standard (non-PREEMPT_RT) kernel if real-time scheduling is not required
  • Temporarily unload BPF programs that may trigger the vulnerable code path
  • Implement monitoring to detect and restart services affected by kernel instability
bash
# Check if system is running a PREEMPT_RT kernel
uname -a | grep -i preempt
cat /proc/version | grep -i preempt

# List loaded BPF programs that may be affected
bpftool prog list

# Check kernel configuration for PREEMPT_RT
zcat /proc/config.gz 2>/dev/null | grep CONFIG_PREEMPT_RT || cat /boot/config-$(uname -r) | grep CONFIG_PREEMPT_RT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Update
  • Kernel Git Commit Update
  • Related CVEs
  • CVE-2026-31411: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23438: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23439: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23437: Linux Kernel Privilege Escalation Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English