CVE-2026-23311 Overview
CVE-2026-23311 is a race condition vulnerability in the Linux kernel's performance monitoring subsystem (perf/core). The vulnerability exists in the ctx_sched_in() function where an invalid wait context is triggered during event scheduling. Specifically, when a pinned event fails and attempts to wake up threads in the ring buffer, the code improperly grabs a wait-queue lock while already holding the perf-context lock, leading to a lock ordering violation detected by lockdep.
Critical Impact
This vulnerability can lead to system instability, potential deadlocks, or denial of service conditions on affected Linux systems when the performance monitoring subsystem is in use.
Affected Products
- Linux kernel versions prior to patched releases
- Systems utilizing the perf performance monitoring subsystem
- Linux distributions running vulnerable kernel versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23311 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23311
Vulnerability Analysis
This vulnerability stems from a lock ordering issue in the kernel's performance event scheduling code. The ctx_sched_in() function, which handles scheduling of performance monitoring contexts, attempts to acquire a wait-queue lock (&event->waitq) while already holding multiple locks including the perf-context lock (&ctx->lock) and CPU context lock (&cpuctx_lock).
The lockdep subsystem identified that this creates an invalid wait context scenario. When a pinned performance event fails, the code path calls __wake_up() to notify waiting threads in the ring buffer. However, this operation requires acquiring lock class {3:3} while already in context-{5:5}, which violates the kernel's locking hierarchy rules.
The fix involves deferring the wake-up operation using irq_work, which allows the wait-queue lock acquisition to occur outside the critical section where the perf-context locks are held.
Root Cause
The root cause is improper lock ordering in the performance event wake-up path. The kernel holds four locks when the issue occurs:
- rcu_read_lock - held during __perf_event_task_sched_in()
- &cpuctx_lock - CPU context lock
- &ctx->lock - Performance context lock
- rcu_read_lock - held during perf_event_wakeup()
Attempting to acquire the wait-queue lock (&event->waitq) while holding these locks creates an invalid context that can lead to deadlock or system instability.
Attack Vector
The vulnerability is triggered through local access when the performance monitoring subsystem is active. An attacker or normal user process utilizing perf events could potentially trigger this condition, leading to system instability or denial of service. The attack vector requires local access to the system and the ability to use performance monitoring interfaces.
The vulnerability manifests during event scheduling when pinned events fail. The kernel's lockdep mechanism detects the invalid wait context when the code attempts to wake up threads waiting on the event's ring buffer. See the kernel git commits for technical implementation details.
Detection Methods for CVE-2026-23311
Indicators of Compromise
- Kernel log messages containing "BUG: Invalid wait context" from lockdep
- System instability or hangs when performance monitoring tools are in use
- Kernel warnings referencing ctx_sched_in() or perf_event_wakeup() in stack traces
Detection Strategies
- Monitor kernel logs (dmesg) for lockdep warnings related to perf subsystem
- Enable lockdep in development/testing kernels to proactively detect the condition
- Review system stability issues occurring during performance monitoring workloads
Monitoring Recommendations
- Configure syslog monitoring for kernel lockdep messages and invalid wait context errors
- Implement alerting on kernel BUG messages related to perf/core subsystem
- Monitor for unexpected system reboots or kernel panics on systems using perf extensively
How to Mitigate CVE-2026-23311
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review and apply vendor-specific kernel updates for your Linux distribution
- Consider temporarily limiting use of performance monitoring tools on critical systems until patched
Patch Information
The vulnerability has been resolved in the Linux kernel through multiple commits that defer the wake-up operation using irq_work. The fix ensures that the wait-queue lock is not acquired while holding the perf-context locks.
Patched versions are available through the following kernel git commits:
Workarounds
- Restrict access to perf_event_open syscall using kernel.perf_event_paranoid sysctl settings
- Limit performance monitoring usage to privileged users only until patches are applied
- Monitor systems for signs of instability and have recovery procedures ready
# Restrict perf_event access as a temporary mitigation
echo 3 > /proc/sys/kernel/perf_event_paranoid
# Make setting persistent across reboots
echo "kernel.perf_event_paranoid = 3" >> /etc/sysctl.conf
sysctl -p
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
