CVE-2026-46272 Overview
CVE-2026-46272 is a race condition vulnerability in the Linux kernel's CoreSight Trace Memory Controller Embedded Trace Router (TMC-ETR) driver. The flaw occurs when sysfs mode and perf mode are enabled simultaneously on the same hardware tracing sink. The sysfs enablement path splits buffer allocation and hardware enablement into two separate critical regions protected by drvdata->spinlock, creating a window where perf mode can interleave and reassign drvdata->etr_buf. When the sysfs path subsequently calls tmc_etr_enable_hw(), the WARN_ON(drvdata->etr_buf) assertion triggers because the buffer pointer was already initialized by the perf mode operation.
Critical Impact
Concurrent use of perf and sysfs CoreSight tracing modes can corrupt driver state and trigger kernel warnings on systems with TMC-ETR hardware tracing.
Affected Products
- Linux kernel — CoreSight TMC driver (drivers/hwtracing/coresight/coresight-tmc-etr.c)
- Systems with ARM CoreSight hardware tracing components
- Kernel versions prior to the fixing commits referenced in upstream stable trees
Discovery Timeline
- 2026-06-03 - CVE-2026-46272 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46272
Vulnerability Analysis
The vulnerability resides in the CoreSight TMC-ETR driver, which manages on-chip trace data routing to system memory. The driver supports two operational modes: sysfs mode for manual tracing control and perf mode for integration with the Linux perf subsystem. The sysfs enablement sequence separates buffer allocation in tmc_etr_get_sysfs_buffer() from hardware enablement in tmc_etr_enable_hw(), releasing the spinlock between the two operations.
During this gap, a concurrent perf mode enablement can acquire the spinlock, execute tmc_etr_enable_hw(), and assign etr_perf->etr_buf to drvdata->etr_buf. When the sysfs path reacquires the lock and calls tmc_etr_enable_hw(), the WARN_ON(drvdata->etr_buf) assertion fires because the buffer pointer is no longer NULL. The result is corrupted driver state and a kernel warning trace.
Root Cause
The root cause is a non-atomic two-phase enablement sequence in the sysfs path. The driver releases drvdata->spinlock between buffer allocation and hardware enablement, violating the implicit invariant that drvdata->etr_buf remains NULL across the operation. No second check verifies whether another mode initialized the buffer during the unlocked window.
Attack Vector
Exploitation requires local access with permissions to interact with the CoreSight sysfs interface and the perf subsystem. An unprivileged user with appropriate access to /sys/bus/coresight/ and perf_event_open() can trigger the race by concurrently enabling tracing through both interfaces. The impact is limited to kernel state corruption within the tracing subsystem and a warning splat; no memory corruption or privilege escalation is documented in the upstream fix.
The fix retains a CS_MODE_PERF check inside get_etr_sysfs_buf so the sysfs path verifies whether perf mode is already running before allocating a buffer, and re-validates state before enabling the hardware. See the upstream commits for the exact patch logic: 38a07194bbcd, 6906aa70d4fc, and e6e43e82c79c.
Detection Methods for CVE-2026-46272
Indicators of Compromise
- Kernel log entries containing WARNING: ... at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw
- Call traces referencing tmc_enable_etr_sink, coresight_enable_path, and coresight_enable_sysfs
- Concurrent activity against /sys/bus/coresight/devices/*/enable_source and perf_event_open() syscalls targeting CoreSight PMUs
Detection Strategies
- Monitor dmesg and persistent kernel logs for tmc_etr_enable_hw warning signatures on ARM systems with CoreSight hardware
- Audit workloads or test harnesses that exercise both sysfs and perf tracing paths against the same TMC sink
- Track kernel versions across the fleet to identify hosts running pre-patch builds of the CoreSight TMC driver
Monitoring Recommendations
- Forward kernel logs to a centralized log aggregation platform and alert on CoreSight warning patterns
- Inventory ARM-based hosts using CoreSight tracing (typical in development, performance engineering, and embedded fleets)
- Correlate warning events with user sessions invoking perf record -e cs_etm// while sysfs tracing is active
How to Mitigate CVE-2026-46272
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits to all affected hosts
- Restrict write access to CoreSight sysfs nodes under /sys/bus/coresight/ to administrative users only
- Avoid running concurrent sysfs and perf CoreSight tracing sessions against the same TMC-ETR sink until patches are deployed
Patch Information
The fix is committed upstream across three stable kernel commits: 38a07194bbcd, 6906aa70d4fc, and e6e43e82c79c. The patch re-checks CS_MODE_PERF inside get_etr_sysfs_buf and validates driver state before enabling the hardware in sysfs mode. Rebuild and deploy kernels incorporating these commits, or pull vendor-provided backports.
Workarounds
- Disable CoreSight tracing on production systems where it is not required by unloading the coresight_tmc module
- Enforce operational policy preventing simultaneous use of sysfs and perf modes against the same trace sink
- Restrict CoreSight sysfs and perf event access via Linux capabilities, cgroups, or kernel lockdown features
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
