Description
In the Linux kernel, the following vulnerability has been resolved:

perf: Fix __perf_event_overflow() vs perf_remove_from_context() race

Make sure that __perf_event_overflow() runs with IRQs disabled for all
possible callchains. Specifically the software events can end up running
it with only preemption disabled.

This opens up a race vs perf_event_exit_event() and friends that will go
and free various things the overflow path expects to be present, like
the BPF program.
Published: 2026-03-20
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a race condition that occurs when the __perf_event_overflow() handler runs with only preemption disabled while the perf_event_exit_event() path frees objects that the overflow handler still expects to exist, such as BPF programs. The race can result in the handler dereferencing freed memory, which may lead to kernel memory corruption and a system crash. While the description does not explicitly state privilege escalation, memory corruption could potentially be leveraged by an attacker with sufficient execution control, so the impact may extend beyond denial of service.

Affected Systems

All Linux kernel implementations that do not include the patch enforcing IRQ disable in __perf_event_overflow() are affected. This covers every distribution kernel shipped before the commit that introduces the fix, including kernels listed in the provided CPEs (e.g., any kernel prior to 7.0‑rc1 that lacks the update). The flaw exists in systems that have the perf subsystem and BPF support enabled.

Risk and Exploitability

The CVSS score of 7.8 categorizes the flaw as high severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The vulnerability is not tracked in CISA’s KEV catalog. Exploitation would generally require a local attacker who can trigger a perf event overflow and race the cleanup path, implying that privileged or local access is needed to create the conditions necessary for the flaw to be triggered.

Generated by OpenCVE AI on May 26, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the race condition fix, which disables IRQs inside __perf_event_overflow()
  • If an immediate kernel update is not possible, temporarily disable the perf event handling or BPF subsystem to eliminate the race condition until a patched kernel is deployed
  • Monitor kernel logs for signs of perf overflow crashes and schedule the update at the earliest opportunity

Generated by OpenCVE AI on May 26, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
Title perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:38.124Z

Reserved: 2026-01-13T15:37:45.991Z

Link: CVE-2026-23271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:11.773

Modified: 2026-05-22T18:23:41.747

Link: CVE-2026-23271

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses