CVE-2026-23138 Overview
A vulnerability has been resolved in the Linux kernel's tracing subsystem where an infinite recursion could occur when tracing RCU events with the kernel stack trace trigger enabled. The stack trace code called back into RCU which then called the stack trace again, creating a recursive loop that could lead to system instability or denial of service conditions.
Critical Impact
The infinite recursion in the kernel tracing subsystem can cause kernel stack overflow, potentially leading to system crashes and denial of service on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions with tracing subsystem enabled)
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23138 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23138
Vulnerability Analysis
This vulnerability exists in the Linux kernel's tracing infrastructure, specifically in the kernel stack trace recording functionality. When the kernel stack trace trigger is enabled while tracing RCU (Read-Copy-Update) events, a dangerous recursive loop can be triggered. The stack trace code invokes RCU operations during its execution, which in turn triggers additional stack trace events, creating an unbounded recursive call chain.
The fix expands the ftrace recursion protection mechanism by adding a set of bits to protect events from recursion. Each bit represents the execution context (normal, softirq, interrupt, and NMI), allowing the kernel to detect and prevent recursive calls within the same context. The stack trace code now uses the interrupt context bit to protect against this specific recursion scenario.
Root Cause
The root cause is a missing recursion protection mechanism in the kernel stack trace recording code. The tracing subsystem did not account for the scenario where stack trace collection could trigger RCU operations, which could themselves be traced, leading to re-entrant calls to the stack trace code. The lack of context-aware recursion guards allowed the infinite loop condition to manifest.
Attack Vector
While this vulnerability requires specific kernel tracing configurations to be enabled, it could potentially be exploited by:
- An attacker with local access and sufficient privileges to enable kernel tracing
- Configuring RCU event tracing with stack trace triggers
- Triggering conditions that cause RCU operations during stack trace collection
The vulnerability primarily poses a denial of service risk through kernel stack exhaustion and subsequent system crash.
The vulnerability manifests in the tracing subsystem's stack trace recording path. When stack trace collection is triggered for an RCU event, the collection code itself may invoke RCU operations, which are also being traced, leading to recursive invocation. The fix adds recursion protection bits that track the current execution context (normal, softirq, interrupt, NMI) and prevent re-entrant calls within the same context. For technical implementation details, see the kernel git commit.
Detection Methods for CVE-2026-23138
Indicators of Compromise
- Kernel panic or system crash with stack trace showing recursive calls through ftrace and RCU functions
- System log entries indicating stack overflow in kernel tracing paths
- Repeated kernel oops messages related to the tracing subsystem
Detection Strategies
- Monitor kernel logs for stack overflow errors or recursive function call patterns
- Audit kernel tracing configurations for potentially dangerous RCU event tracing with stack triggers
- Implement kernel watchdog monitoring to detect system hangs caused by infinite loops
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information during failures
- Monitor system stability metrics on systems with kernel tracing enabled
- Review dmesg output for recursion-related warnings in the tracing subsystem
How to Mitigate CVE-2026-23138
Immediate Actions Required
- Update the Linux kernel to a patched version containing the recursion protection fix
- Temporarily disable stack trace triggers for RCU events if immediate patching is not possible
- Review and audit kernel tracing configurations on affected systems
Patch Information
The vulnerability has been addressed in kernel commits available through the stable kernel tree. The fix expands ftrace recursion protection with context-aware bits to prevent recursive stack trace calls.
Relevant kernel patches:
Workarounds
- Disable kernel tracing for RCU events temporarily using echo 0 > /sys/kernel/debug/tracing/events/rcu/enable
- Avoid enabling stack trace triggers on RCU-related trace events until the kernel is patched
- Consider limiting kernel tracing capabilities to trusted administrators only
# Configuration example - Disable RCU event tracing as a temporary workaround
echo 0 > /sys/kernel/debug/tracing/events/rcu/enable
# Alternatively, disable all tracing temporarily
echo 0 > /sys/kernel/debug/tracing/tracing_on
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
