Description
In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix refcount bug and potential UAF in perf_mmap

Syzkaller reported a refcount_t: addition on 0; use-after-free warning
in perf_mmap.

The issue is caused by a race condition between a failing mmap() setup
and a concurrent mmap() on a dependent event (e.g., using output
redirection).

In perf_mmap(), the ring_buffer (rb) is allocated and assigned to
event->rb with the mmap_mutex held. The mutex is then released to
perform map_range().

If map_range() fails, perf_mmap_close() is called to clean up.
However, since the mutex was dropped, another thread attaching to
this event (via inherited events or output redirection) can acquire
the mutex, observe the valid event->rb pointer, and attempt to
increment its reference count. If the cleanup path has already
dropped the reference count to zero, this results in a
use-after-free or refcount saturation warning.

Fix this by extending the scope of mmap_mutex to cover the
map_range() call. This ensures that the ring buffer initialization
and mapping (or cleanup on failure) happens atomically effectively,
preventing other threads from accessing a half-initialized or
dying ring buffer.
Published: 2026-03-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free leading to kernel crash or privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a race condition in the Linux kernel's perf_mmap implementation. If a failing mmap() setup is interleaved with a concurrent mmap() on the same event, the ring buffer may be released while still referenced, leading to a use‑after‑free or refcount saturation condition. An attacker who can trigger perf events that are mapped concurrently could potentially exploit this flaw to corrupt kernel memory or cause an out‑of‑band crash, which may enable privilege escalation or denial of service.

Affected Systems

Affected systems are Linux kernel deployments; the specific kernel versions are not enumerated in the available information. The issue originates from the perf subsystem and is present in all builds that include the unpatched perf_mmap code path.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% implies a low likelihood of exploitation in the wild. The vulnerability has not been listed in the CISA KEV catalog. Exploitation would require local system access or the ability to create affinity to perf events, making the attack vector local or possibly privileged. Attackers would need to orchestrate the timing between failing and succeeding mmap calls, a non‑trivial requirement that reduces the risk compared to more easily exploitable flaws.

Generated by OpenCVE AI on April 2, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the perf_mmap fix
  • Verify the kernel version after the update to confirm the patch is in place
  • Reboot or restart services that use performance events to ensure the updated kernel is active
  • If an immediate kernel update is not feasible, monitor logs for anomalous perf_event usage and consider disabling performance events for untrusted users

Generated by OpenCVE AI on April 2, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix refcount bug and potential UAF in perf_mmap Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap. The issue is caused by a race condition between a failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection). In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range(). If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning. Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer.
Title perf/core: Fix refcount bug and potential UAF in perf_mmap
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:43:59.911Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23248

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:16.863

Modified: 2026-04-02T15:16:27.123

Link: CVE-2026-23248

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23248 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:24Z

Weaknesses