CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23435 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Performance Monitoring Unit (PMU) subsystem for x86 architecture. The vulnerability exists in the x86_pmu_enable() function where improper event pointer setup can lead to a system crash when the PMU NMI handler attempts to access an uninitialized event pointer. This issue specifically affects AMD EPYC systems running performance monitoring workloads and can result in a complete system crash (kernel panic).

Critical Impact
Production AMD EPYC systems may experience kernel panics and complete system crashes when performance monitoring events are throttled and then unthrottled during normal operation, potentially causing significant service disruption.

Affected Products

Linux kernel with perf/x86 PMU subsystem (AMD EPYC systems)
Systems using AMD PMU v2 interrupt handler (amd_pmu_v2_handle_irq)
Linux kernel versions prior to the security patch

Discovery Timeline

2026-04-03 - CVE CVE-2026-23435 published to NVD
2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-23435

Vulnerability Analysis

This vulnerability is a NULL pointer dereference that occurs in the Linux kernel's x86 PMU (Performance Monitoring Unit) subsystem. The flaw manifests during a specific race condition sequence involving performance event throttling and rescheduling. When a group of perf events overflows, the kernel triggers a group throttle via perf_event_throttle_group(), stopping all events and clearing the active_mask bits while preserving the events[] array.

The root issue stems from commit 7e772a93eb61 which moved the cpuc->events[idx] assignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(), after the PERF_HES_ARCH check. This change inadvertently broke any code path that calls pmu->start() without going through x86_pmu_enable() — specifically the unthrottle path.

During the crash, drgn inspection of the vmcore revealed a critical mismatch between cpuc->active_mask and cpuc->events[]: bit 2 of active_mask was set (value 0x1e indicating bits 1, 2, 3, 4), but events[2] was NULL while the other event pointers were valid. This state inconsistency directly led to the NULL pointer dereference when the NMI handler attempted to process the active counter.

Root Cause

The vulnerability originates from the code reorganization in commit 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss"). This commit moved the cpuc->events[hwc->idx] assignment to occur after the PERF_HES_ARCH check in x86_pmu_enable(). When stopped events need to move counters, they receive the PERF_HES_ARCH flag and events[old_idx] is cleared, but in step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events to be skipped, meaning events[new_idx] is never populated.

Attack Vector

The vulnerability is triggered through a race condition sequence during normal system operation:

A group of perf events overflows, triggering group throttle via perf_event_throttle_group(). All events are stopped with active_mask bits cleared.
While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs due to other scheduling activity. Stopped events that need to move counters get PERF_HES_ARCH set and events[old_idx] cleared, but events[new_idx] is never set due to the PERF_HES_ARCH skip condition.
The timer tick unthrottles the group via pmu->start(). Since the events[] assignment was removed from x86_pmu_start(), active_mask[new_idx] is set but events[new_idx] remains NULL.
A PMC overflow NMI fires. The handler iterates active counters, finds active_mask[2] set, reads events[2] which is NULL, and crashes when dereferencing it in x86_perf_event_update() at the if (unlikely(!hwc->event_base)) check.

The kernel crash manifests with the following signature:

BUG: kernel NULL pointer dereference, address: 0000000000000198
RIP: x86_perf_event_update+0xc/0xa0
Call Trace:
 <NMI>
 amd_pmu_v2_handle_irq+0x1a6/0x390
 perf_event_nmi_handler+0x24/0x40

Detection Methods for CVE-2026-23435

Indicators of Compromise

Kernel panic messages containing NULL pointer dereference at address 0x0000000000000198
Stack traces showing x86_perf_event_update, amd_pmu_v2_handle_irq, and perf_event_nmi_handler functions
System crashes occurring during heavy performance monitoring workloads on AMD EPYC systems
Kernel logs showing NMI handler failures related to PMU events

Detection Strategies

Monitor /var/log/kern.log and dmesg output for NULL pointer dereference errors in perf subsystem functions
Deploy kernel crash dump analysis tools (kdump/crash) to capture and analyze vmcore files for evidence of cpuc->events[] and active_mask mismatches
Implement automated log monitoring for patterns matching x86_perf_event_update and BUG: kernel NULL pointer dereference

Monitoring Recommendations

Enable kernel crash dumps via kdump to capture diagnostic information when crashes occur
Configure syslog alerting for kernel panic patterns related to perf/x86 subsystem
Monitor system uptime and unexpected reboots on AMD EPYC systems with active performance monitoring

How to Mitigate CVE-2026-23435

Immediate Actions Required

Review kernel version and determine if vulnerable code paths are present
Consider temporarily disabling or reducing performance monitoring event collection on affected AMD EPYC production systems until patched
Schedule maintenance windows for kernel updates on critical infrastructure
Prepare for kernel updates by testing patches in staging environments first

Patch Information

The Linux kernel maintainers have resolved this vulnerability by moving the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to occur before the PERF_HES_ARCH check. This ensures that events[] is populated even for events that are not immediately started, guaranteeing that the unthrottle path via pmu->start() always finds a valid event pointer.

Patches are available through the following kernel.org commits:

Workarounds

Reduce the frequency of performance monitoring event collection to minimize throttle/unthrottle cycles
Limit the number of concurrent perf events running on affected systems
If possible, avoid running performance monitoring workloads that frequently trigger event throttling
Consider using alternative monitoring approaches that don't rely on hardware PMU counters until patching is complete

bash

# Check current kernel version for vulnerability assessment
uname -r

# Review kernel logs for signs of PMU-related issues
dmesg | grep -E "(perf|pmu|x86_perf_event_update)"

# Verify if AMD EPYC PMU v2 handler is in use
grep -r "amd_pmu" /proc/kallsyms 2>/dev/null | head -5

CVE-2026-23435 Overview

Critical Impact
Production AMD EPYC systems may experience kernel panics and complete system crashes when performance monitoring events are throttled and then unthrottled during normal operation, potentially causing significant service disruption.

Affected Products

Linux kernel with perf/x86 PMU subsystem (AMD EPYC systems)
Systems using AMD PMU v2 interrupt handler (amd_pmu_v2_handle_irq)
Linux kernel versions prior to the security patch

Discovery Timeline

2026-04-03 - CVE CVE-2026-23435 published to NVD
2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-23435

Vulnerability Analysis

Root Cause

Attack Vector

The vulnerability is triggered through a race condition sequence during normal system operation:

A group of perf events overflows, triggering group throttle via perf_event_throttle_group(). All events are stopped with active_mask bits cleared.
While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs due to other scheduling activity. Stopped events that need to move counters get PERF_HES_ARCH set and events[old_idx] cleared, but events[new_idx] is never set due to the PERF_HES_ARCH skip condition.
The timer tick unthrottles the group via pmu->start(). Since the events[] assignment was removed from x86_pmu_start(), active_mask[new_idx] is set but events[new_idx] remains NULL.
A PMC overflow NMI fires. The handler iterates active counters, finds active_mask[2] set, reads events[2] which is NULL, and crashes when dereferencing it in x86_perf_event_update() at the if (unlikely(!hwc->event_base)) check.

The kernel crash manifests with the following signature:

BUG: kernel NULL pointer dereference, address: 0000000000000198
RIP: x86_perf_event_update+0xc/0xa0
Call Trace:
 <NMI>
 amd_pmu_v2_handle_irq+0x1a6/0x390
 perf_event_nmi_handler+0x24/0x40

Detection Methods for CVE-2026-23435

Indicators of Compromise

Kernel panic messages containing NULL pointer dereference at address 0x0000000000000198
Stack traces showing x86_perf_event_update, amd_pmu_v2_handle_irq, and perf_event_nmi_handler functions
System crashes occurring during heavy performance monitoring workloads on AMD EPYC systems
Kernel logs showing NMI handler failures related to PMU events

Detection Strategies

Monitor /var/log/kern.log and dmesg output for NULL pointer dereference errors in perf subsystem functions
Deploy kernel crash dump analysis tools (kdump/crash) to capture and analyze vmcore files for evidence of cpuc->events[] and active_mask mismatches
Implement automated log monitoring for patterns matching x86_perf_event_update and BUG: kernel NULL pointer dereference

Monitoring Recommendations

Enable kernel crash dumps via kdump to capture diagnostic information when crashes occur
Configure syslog alerting for kernel panic patterns related to perf/x86 subsystem
Monitor system uptime and unexpected reboots on AMD EPYC systems with active performance monitoring

How to Mitigate CVE-2026-23435

Immediate Actions Required

Review kernel version and determine if vulnerable code paths are present
Consider temporarily disabling or reducing performance monitoring event collection on affected AMD EPYC production systems until patched
Schedule maintenance windows for kernel updates on critical infrastructure
Prepare for kernel updates by testing patches in staging environments first

Patch Information

Patches are available through the following kernel.org commits:

Workarounds

Reduce the frequency of performance monitoring event collection to minimize throttle/unthrottle cycles
Limit the number of concurrent perf events running on affected systems
If possible, avoid running performance monitoring workloads that frequently trigger event throttling
Consider using alternative monitoring approaches that don't rely on hardware PMU counters until patching is complete

bash

# Check current kernel version for vulnerability assessment
uname -r

# Review kernel logs for signs of PMU-related issues
dmesg | grep -E "(perf|pmu|x86_perf_event_update)"

# Verify if AMD EPYC PMU v2 handler is in use
grep -r "amd_pmu" /proc/kallsyms 2>/dev/null | head -5

CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23435 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23435

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23435

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23435

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-23435: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23435 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23435

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23435

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23435

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform