PatchSiren cyber security CVE debrief

CVE-2026-23248 Linux CVE debrief

CVE-2026-23248 is a Linux kernel vulnerability in perf/core where a race during perf_mmap() could expose a ring buffer after mmap() setup fails, leading to a refcount error and potential use-after-free. The issue is fixed by keeping mmap_mutex held across map_range() so buffer setup, mapping, and cleanup behave atomically from other threads’ perspective.

Vendor: Linux
Product: Unknown
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-18
Original CVE updated: 2026-05-21
Advisory published: 2026-03-18
Advisory updated: 2026-05-21

Who should care

Linux kernel operators, distro maintainers, and anyone running systems that expose perf_event/perf tooling to trusted local users should prioritize this issue, especially on multi-user hosts and development or observability environments.

Technical summary

According to the supplied NVD record and kernel patch references, perf_mmap() allocates a ring buffer, assigns it to event->rb while holding mmap_mutex, then drops the mutex before map_range(). If map_range() fails, perf_mmap_close() runs cleanup. That unlock window can allow a concurrent thread on a dependent or inherited event to see a valid-looking event->rb and try to take a reference after cleanup has reduced the refcount to zero. The result is a refcount_t warning and potential use-after-free. The fix extends the mutex scope over map_range() to prevent concurrent access to a partially initialized or dying ring buffer. NVD classifies the weakness as CWE-416 and rates it CVSS 3.1 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

High. This is a kernel memory-safety flaw with broad confidentiality, integrity, and availability impact, but it requires local privileges and is not listed as a known-exploited issue in the supplied enrichment.

Recommended defensive actions

Apply the vendor or upstream kernel patches referenced by NVD.
Upgrade to a kernel release that includes the fix; NVD marks affected ranges as before 6.18.17 and before 6.19.7, plus 7.0-rc1.
Verify your distribution’s backport status, since many vendors ship fixed code under the same base version number.
Limit access to perf-related features and local accounts on shared systems until patched, especially where perf_event usage is not required.

Evidence notes

The supplied source corpus states that Syzkaller reported a refcount_t addition-on-0 and use-after-free warning in perf_mmap. It explains the race between a failing mmap() setup and a concurrent mmap() on a dependent event, and says the fix is to extend mmap_mutex across map_range(). The NVD record supplied here lists CWE-416, CVSS 7.8, and affected Linux kernel version ranges, and includes three official kernel.org patch references.

Official resources

CVE-2026-23248 CVE record
CVE.org
CVE-2026-23248 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch

CVE published 2026-03-18T11:16:16.863Z; last modified 2026-05-21T18:45:54.603Z.