CVE-2026-23311 Linux CVE debrief

Who should care

Linux system administrators running kernel versions 6.15-6.18.16 or 6.19-6.19.6; security teams monitoring for local denial-of-service vectors; organizations using performance monitoring tools that rely on the kernel perf subsystem

Technical summary

The vulnerability exists in the perf/core subsystem's ctx_sched_in() function. When a pinned perf event fails during scheduling, the code attempts to wake up threads waiting on the ring buffer. This wake-up operation grabs a wait-queue lock while already holding the perf-context lock (ctx->lock), creating an invalid lock nesting context that lockdep detects. The fix moves the wake-up operation to irq_work, which defers the wait-queue lock acquisition to a safe context outside the perf-context lock critical section. The affected code paths are triggered during task scheduling events when performance monitoring is active.

Defensive priority

medium

Recommended defensive actions

• Apply the upstream kernel patches to affected systems
• Upgrade to Linux kernel 6.18.17 or later, or 6.19.7 or later
• For 7.0-rc1, apply the relevant stable patch or upgrade to a later release candidate
• Monitor kernel logs for lockdep warnings as indicators of exploitation attempts
• Restrict local access to performance monitoring capabilities where possible

Evidence notes

Lockdep detected the invalid wait context during event scheduling when a pinned event failed and attempted to wake threads in the ring buffer. The stack trace shows the issue occurs in __perf_event_task_sched_in with multiple locks held including rcu_read_lock, cpuctx_lock, and ctx->lock. The vulnerability is classified as CWE-667 (Improper Locking).

Official resources