Description
In the Linux kernel, the following vulnerability has been resolved:

perf: Make sure to use pmu_ctx->pmu for groups

Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access
when group_sched_in() fails and needs to roll back.

This *should* be handled by the transaction callbacks, but he found that when
the group leader is a software event, the transaction handlers of the wrong PMU
are used. Despite the move_group case in perf_event_open() and group_sched_in()
using pmu_ctx->pmu.

Turns out, inherit uses event->pmu to clone the events, effectively undoing the
move_group case for all inherited contexts. Fix this by also making inherit use
pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.

Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the
group case.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Kernel Memory Access
Action: Apply Patch
AI Analysis

Impact

The flaw is in the Linux kernel’s perf subsystem. When a group operation rolls back, the code uses the wrong PMU context, causing an out‑of‑bounds memory access that corrupts kernel data structures. This memory corruption could let a local attacker tamper with kernel state or cause a denial of service.

Affected Systems

All Linux kernel builds that incorporate the kernel version before the commit that fixes the bug (35f7914e54fe7f13654c22ee045b05e4b6d8062b). Because the advisory lists only the generic Linux kernel CPE, any distribution using a derivative of that version is potentially vulnerable until an update is applied.

Risk and Exploitability

The EPSS score remains <1% and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 7.8, indicating a high severity. This out-of-bound memory access requires local interaction with the perf subsystem; an attacker with sufficient privilege can trigger the error, potentially leading to kernel memory corruption and denial of service.

Generated by OpenCVE AI on April 28, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the fix from commit 35f7914e54fe7f13654c22ee045b05e4b6d8062b following your distribution’s normal update procedures.
  • If a patched package is not yet available from your vendor, download the Linux kernel source, apply the patch that implements the change, rebuild the kernel, and install the new image.
  • As a temporary countermeasure, limit or disable the perf_event subsystem for untrusted users, for example by removing the perf_event_open capability from user namespaces or configuring systemd sandboxing to block access to that system call.

Generated by OpenCVE AI on April 28, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmu_ctx->pmu for groups Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back. This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu. Turns out, inherit uses event->pmu to clone the events, effectively undoing the move_group case for all inherited contexts. Fix this by also making inherit use pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context. Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the group case.
Title perf: Make sure to use pmu_ctx->pmu for groups
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:32.460Z

Reserved: 2026-03-09T15:48:24.111Z

Link: CVE-2026-31528

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:53.040

Modified: 2026-04-28T18:00:28.390

Link: CVE-2026-31528

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31528 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses