CVE-2026-23309 - Vulnerability Details

- tracing: Add NULL pointer check to trigger_data_free()

Description

In the Linux kernel, the following vulnerability has been resolved:

tracing: Add NULL pointer check to trigger_data_free()

If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()
jumps to the out_free error path. While kfree() safely handles a NULL
pointer, trigger_data_free() does not. This causes a NULL pointer
dereference in trigger_data_free() when evaluating
data->cmd_ops->set_filter.

Fix the problem by adding a NULL pointer check to trigger_data_free().

The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.

Published: 2026-03-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A failure in the Linux kernel tracing subsystem may cause trigger_data_free() to dereference a NULL pointer, resulting in a kernel panic and a system reboot. The impact is a denial of service of the affected host, not a remote code execution or data theft.

Affected Systems

The flaw resides in the Linux kernel tracing code, affecting all kernel releases that contain the trigger_data_free routine prior to the introduction of a NULL check. The vulnerability was discovered in backports to version 6.18.y, so any distribution shipping those or earlier kernels without the patch is impacted.

Risk and Exploitability

The exploit probability is very low (EPSS < 1%) and the issue is not listed in CISA’s KEV catalog. Nonetheless, a local or privileged attacker can trigger the vulnerable path and force a kernel crash, resulting in temporary denial of service. The risk is moderate but mitigated by the low likelihood of exploitation and the availability of a kernel update that resolves the issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c10f0efe57728508d796ae4ba7abe4c14ec3d8ef`	affected	< 13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e
`7e6556e9329bc484e9dcdab6e346d959267c0636`	affected	< 59c15b9cc453b74beb9f04c6c398717e73612dc3
`9b0513905e0598b9f8cfccab8e47497aed5d935d`	affected	< 42b380f97d65e76e7b310facd525f730272daf57
`335dfe4bc6368e70e8c15419375cf609c4f85558`	affected	< 2ce8ece5a78da67834db7728edc801889a64f643
`e42efbe9754da78eafe11f6bd3ca9c8a094a752a`	affected	< 477469223b2b840f436ce204333de87cb17e5d93
`0550069cc25f513ce1f109c88f7c1f01d63297db`	affected	< 457965c13f0837a289c9164b842d0860133f6274

Linux

unaffected

Version	Status	Constraints
`6.1.165`	affected	< 6.1.167
`6.6.128`	affected	< 6.6.130
`6.12.75`	affected	< 6.12.77
`6.18.14`	affected	< 6.18.17
`6.19.4`	affected	< 6.19.7

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c10f0efe57728508d796ae4ba7abe4c14ec3d8ef,13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e)`	affected	code_commit	—
`[7e6556e9329bc484e9dcdab6e346d959267c0636,59c15b9cc453b74beb9f04c6c398717e73612dc3)`	affected	code_commit	—
`[9b0513905e0598b9f8cfccab8e47497aed5d935d,42b380f97d65e76e7b310facd525f730272daf57)`	affected	code_commit	—
`[335dfe4bc6368e70e8c15419375cf609c4f85558,2ce8ece5a78da67834db7728edc801889a64f643)`	affected	code_commit	—
`[e42efbe9754da78eafe11f6bd3ca9c8a094a752a,477469223b2b840f436ce204333de87cb17e5d93)`	affected	code_commit	—
`[0550069cc25f513ce1f109c88f7c1f01d63297db,457965c13f0837a289c9164b842d0860133f6274)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`7.0-rc1`	affected	generic	—
`[0,7.0-rc1)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify the running kernel version on the system.
Apply the latest stable kernel release from the distribution, ensuring that the backported patch adding a NULL check to trigger_data_free() is present.
If a full kernel upgrade is not possible, consider disabling unused kernel tracing features to reduce the attack surface until a patch can be applied.
Monitor system logs for kernel panic entries mentioning trigger_data_free() to detect attempts to exploit the flaw.
If an advisory from the distribution vendor is available, follow the vendor’s recommended update or replacement procedures.

Generated by OpenCVE AI on March 26, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e
https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643
https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57
https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274
https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93
https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3
https://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23309-4243@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23309
https://www.cve.org/CVERecord?id=CVE-2026-23309

History

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23309-4243@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23309 https://www.cve.org/CVERecord?id=CVE-2026-23309

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.
Title		tracing: Add NULL pointer check to trigger_data_free()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643 https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57 https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274 https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93 https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:04.828Z

Updated: 2026-05-11T22:04:23.455Z

Reserved: 2026-01-13T15:37:45.994Z

Link: CVE-2026-23309

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.993

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23309

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23309 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:16:47Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object