CVE-2026-23159 Overview
CVE-2026-23159 is a vulnerability in the Linux kernel's performance monitoring subsystem (perf) that can cause a system crash due to a NULL pointer dereference. The vulnerability exists in the scheduler profiling functionality when attempting to perform user space stack traces during a specific race condition window when a task exits and frees its memory management (mm) field.
The flaw stems from an incomplete check when determining whether a task is a user task. While previous implementations checked for the PF_KTHREAD and PF_USER_WORKER flags to identify kernel threads, these checks alone are insufficient. During task exit, there exists a brief window where the flags indicate a user space task, but the mm field has already been set to NULL, leading to a kernel crash when perf attempts to read from it.
Critical Impact
Local denial of service condition through kernel NULL pointer dereference crash when perf profiling triggers during task exit race condition window.
Affected Products
- Linux kernel (multiple versions with perf scheduler profiling functionality)
- Systems utilizing perf for user space stack tracing
- Systems with io-uring enabled (uses PF_USER_WORKER flag)
Discovery Timeline
- 2026-02-14 - CVE-2026-23159 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23159
Vulnerability Analysis
The vulnerability resides in how the Linux kernel's perf subsystem determines whether a task is a user task before attempting to read user space memory for stack traces. Historically, this determination was made by checking if the task_struct->mm field was non-NULL. However, kernel evolution introduced complexity: some kernel tasks now have their own mm field, and the PF_KTHREAD flag check was adopted as the primary method.
Further complications arose when io-uring helpers were introduced, which set PF_USER_WORKER instead of PF_KTHREAD. The current implementation checks these flags to determine task type, but a critical race condition exists during task exit.
When a task exits, it frees its mm field and sets it to NULL before certain exit flags are set. If perf triggers profiling during this narrow window, the flags-based check incorrectly identifies the exiting task as a valid user space task. Subsequently, when perf attempts to read from the NULL mm pointer for stack tracing, the kernel crashes with a NULL pointer dereference.
Root Cause
The root cause is an incomplete task type validation that relies solely on process flags (PF_KTHREAD and PF_USER_WORKER) without also verifying the validity of the mm field. The fix introduces a new is_user_task() helper function that performs comprehensive validation by checking both the process flags and ensuring the mm field is non-NULL before allowing user space memory access.
Attack Vector
An attacker with local access could potentially trigger this vulnerability by:
- Initiating perf profiling with user space stack trace collection enabled
- Repeatedly creating and terminating processes to increase the probability of hitting the race condition window
- Causing a kernel panic when perf attempts to dereference the NULL mm pointer
The vulnerability requires local access and the ability to use perf profiling tools. It is primarily a denial of service condition affecting system availability through kernel crashes.
Detection Methods for CVE-2026-23159
Indicators of Compromise
- Kernel panic messages containing NULL pointer dereference errors in perf-related code paths
- System crashes occurring during heavy process creation/termination while perf is active
- Kernel logs showing crashes in perf_callchain_user or related scheduler profiling functions
- Unexpected system reboots when running performance profiling tools
Detection Strategies
- Monitor kernel logs for NULL pointer dereference exceptions in the perf subsystem
- Implement kernel crash dump analysis to identify perf-related stack traces during crashes
- Track system stability issues when performance profiling is enabled on production systems
- Review crash reports for patterns matching task exit race conditions
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information during crashes
- Configure system monitoring to alert on unexpected kernel panics or reboots
- Monitor perf subsystem usage across systems to identify potential trigger conditions
- Implement centralized logging for kernel error messages related to memory access violations
How to Mitigate CVE-2026-23159
Immediate Actions Required
- Apply the latest kernel patches that introduce the is_user_task() helper function
- Consider temporarily disabling user space stack tracing in perf on critical production systems
- Review and update kernel versions on affected systems to patched releases
- Restrict perf tool access to trusted users via system permissions
Patch Information
The fix introduces a new is_user_task() helper function that performs comprehensive validation before allowing user space memory access. This helper checks both the process flags (PF_KTHREAD and PF_USER_WORKER) and verifies the mm field is non-NULL, eliminating the race condition window.
Multiple kernel patches have been released to address this vulnerability:
- Kernel Git Commit 5aac392fcd3d
- Kernel Git Commit 76ed27608f7d
- Kernel Git Commit a28fce0365e1
- Kernel Git Commit d84a4836dc24
Workarounds
- Disable perf user space stack tracing temporarily using perf configuration options
- Limit perf profiling to kernel-only stack traces until patches are applied
- Restrict access to perf tools to reduce exposure surface
- Implement process isolation for critical workloads to minimize profiling exposure
# Restrict perf access to root only (temporary mitigation)
sudo sysctl kernel.perf_event_paranoid=2
# Verify current perf access level
cat /proc/sys/kernel/perf_event_paranoid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
