CVE-2026-23380 Overview
CVE-2026-23380 is a Linux kernel vulnerability in the tracing subsystem. The flaw resides in tracing_buffers_mmap_close() and stems from improper reference counting across process forks. When a child process inherits a parent's Virtual Memory Areas (VMAs), the user_mapped reference count is not incremented. Both processes exiting trigger a double close, returning -ENODEV and firing a WARN_ON macro [CWE-617]. A local, low-privileged attacker can use madvise(MADVISE_DOFORK) to clear the VM_DONTCOPY hint and force the condition. The result is kernel log noise and potential availability impact on systems configured with panic_on_warn.
Critical Impact
Local users can trigger a kernel WARN_ON in the tracing subsystem, producing denial of service on systems where panic_on_warn is enabled.
Affected Products
- Linux Kernel 6.10
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Linux distributions shipping affected stable kernel branches
Discovery Timeline
- 2026-03-25 - CVE-2026-23380 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-23380
Vulnerability Analysis
The vulnerability lives in the kernel's ring-buffer tracing infrastructure, specifically the user-space memory mapping path. The tracing subsystem exposes trace buffers to userspace via mmap() and tracks active mappings through the user_mapped reference counter. The counter is decremented in tracing_buffers_mmap_close() when a VMA is torn down. The function returns -ENODEV and triggers WARN_ON if it executes against an already-zero counter. The Linux kernel marks these mappings with VM_DONTCOPY to prevent inheritance across fork(). However, VM_DONTCOPY is advisory and can be reset by userspace.
Root Cause
The root cause is missing reference-count maintenance in the VMA open callback for the tracing buffer mapping. When the kernel duplicates a VMA during fork(), it invokes the mapping's open handler on the child VMA but does not increment user_mapped. Both parent and child later invoke close, decrementing the counter twice from an initial value of one. The second decrement underflows the logical state, producing the warning. The fix increments user_mapped in the open callback without re-mapping the underlying pages.
Attack Vector
Exploitation requires local code execution with the ability to open trace buffer files. An attacker maps a tracing buffer, calls madvise(addr, len, MADV_DOFORK) to clear VM_DONTCOPY, then forks. When both processes exit, the kernel emits a WARN_ON splat. On hardened kernels built with CONFIG_PANIC_ON_OOPS or runtime kernel.panic_on_warn=1, this escalates to a full kernel panic and system reboot. The vulnerability does not provide memory disclosure or privilege escalation primitives.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The fix is committed across stable trees in commits 91f3e8d8, b0f269ba, cdd96641, and e39bb9e0.
Detection Methods for CVE-2026-23380
Indicators of Compromise
- Kernel log entries containing WARN_ON traces referencing tracing_buffers_mmap_close in dmesg or /var/log/kern.log
- Unexpected kernel panics on systems with kernel.panic_on_warn=1 correlated with tracing buffer consumers
- Processes invoking madvise() with the MADV_DOFORK flag on file descriptors opened from /sys/kernel/tracing/
Detection Strategies
- Monitor kernel ring buffer output for WARN_ON signatures originating in kernel/trace/trace.c and correlate with the issuing process ID
- Audit syscalls using auditd rules on openat against /sys/kernel/tracing/per_cpu/*/trace_pipe_raw followed by madvise and fork from the same PID
- Use eBPF probes attached to tracing_buffers_mmap_close to capture caller context and user_mapped state transitions
Monitoring Recommendations
- Forward kernel logs to a centralized SIEM and alert on tracing subsystem WARN_ON events
- Track which non-root accounts hold read access to /sys/kernel/tracing and /sys/kernel/debug/tracing mount points
- Baseline legitimate use of the tracing interface by tools such as perf, bpftrace, and trace-cmd to surface anomalous callers
How to Mitigate CVE-2026-23380
Immediate Actions Required
- Apply the upstream stable kernel patches referenced by commits 91f3e8d8, b0f269ba, cdd96641, and e39bb9e0 once shipped by your distribution
- Restrict access to /sys/kernel/tracing and /sys/kernel/debug/tracing to the root user or a dedicated tracing group
- Disable kernel.panic_on_warn on production systems where availability outweighs strict fail-closed behavior, until patched
Patch Information
The fix is merged into the mainline Linux kernel and backported to affected stable branches. Reference the upstream commits: Kernel Git Commit 91f3e8d, Kernel Git Commit b0f269ba, Kernel Git Commit cdd96641, and Kernel Git Commit e39bb9e0. Track your distribution's security advisories for backported package versions.
Workarounds
- Mount tracefs and debugfs with restrictive permissions (mode=0700) and limit membership of any tracing-capable groups
- Use Linux Security Modules such as SELinux or AppArmor to deny madvise with MADV_DOFORK on tracing-buffer mappings for unprivileged processes
- Disable the tracing subsystem at boot using tracing_off or remove CONFIG_TRACING from custom kernel builds where it is not required
# Restrict tracefs access to root until kernel patches are applied
mount -o remount,mode=0700 /sys/kernel/tracing
chmod 0700 /sys/kernel/debug/tracing
# Temporarily disable panic-on-warn to prevent forced reboots from this WARN_ON
sysctl -w kernel.panic_on_warn=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
