PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23309 Linux CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's tracing subsystem. When trigger_data_alloc() fails and returns NULL, the error handling path in event_hist_trigger_parse() calls trigger_data_free(), which does not check for NULL before dereferencing data->cmd_ops->set_filter. This flaw affects multiple stable kernel branches and could lead to a denial of service (system crash) when triggered by a local user with privileges to configure tracing histogram triggers. The vulnerability was discovered by an experimental code review agent during backport review for v6.18.y. Patches have been committed to stable kernel branches to add the missing NULL pointer check.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-28
Advisory published
2026-03-25
Advisory updated
2026-05-28

Who should care

Linux system administrators running affected kernel versions, particularly those using kernel tracing and histogram features; security teams monitoring kernel-level vulnerabilities; organizations with custom kernel builds or delayed patching cycles

Technical summary

The vulnerability exists in kernel/trace/trace_events_hist.c in the trigger_data_free() function. When trigger_data_alloc() fails during histogram trigger parsing, the error path calls trigger_data_free() with a NULL pointer. Unlike kfree(), which safely handles NULL, trigger_data_free() attempts to evaluate data->cmd_ops->set_filter without validation, causing a NULL pointer dereference. The fix adds a simple NULL check at the beginning of trigger_data_free() before any pointer dereferencing occurs. This is a defensive coding issue in error handling paths that requires local access to trigger.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates to patched versions: 6.1.167 or later, 6.6.130 or later, 6.12.77 or later, 6.18.17 or later, 6.19.7 or later, or 7.0-rc3 or later
  • Verify kernel version using uname -r and compare against affected version ranges
  • If running affected kernel versions and unable to immediately patch, consider restricting access to tracing histogram configuration via appropriate permissions
  • Monitor system logs for unexpected crashes in tracing-related operations
  • Review custom tracing configurations for potential trigger paths that could exercise the vulnerable code path

Evidence notes

The vulnerability is classified as CWE-476 (NULL Pointer Dereference). The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. Affected versions span multiple stable branches: 6.1.165 to 6.1.167 (exclusive), 6.6.128 to 6.6.130 (exclusive), 6.12.75 to 6.12.77 (exclusive), 6.18.14 to 6.18.17 (exclusive), 6.19.4 to 6.19.7 (exclusive), and 7.0-rc1/rc2. Six patch commits are referenced from kernel.org stable repositories.

Official resources

2026-03-25