Description
In the Linux kernel, the following vulnerability has been resolved:

powerpc, perf: Check that current->mm is alive before getting user callchain

It may happen that mm is already released, which leads to kernel panic.
This adds the NULL check for current->mm, similarly to
commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain").

I was getting this panic when running a profiling BPF program
(profile.py from bcc-tools):

[26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0)
[26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588
[26215.051952] Faulting instruction address: 0xc00000000020fac0
[26215.051957] Oops: Kernel access of bad area, sig: 11 [#1]
[...]
[26215.052049] Call Trace:
[26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable)
[26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30
[26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360
[26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0
[26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274
[...]

In addition, move storing the top-level stack entry to generic
perf_callchain_user to make sure the top-evel entry is always captured,
even if current->mm is NULL.

[Maddy: fixed message to avoid checkpatch format style error]
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the Linux PowerPC kernel when the current process’s memory context is released while the kernel attempts to capture a user call chain for profiling, leading to a kernel panic. The crash stops the affected system and can be triggered by running certain profiling BPF programs. The failure is a local denial‑of‑service; it does not directly expose data but crashes the system, potentially causing service outages. The likely attack vector is local, inferred from the need to execute a profiling BPF program.

Affected Systems

All Linux kernel builds that include the PowerPC perf_callchain_user logic are affected. No specific version numbers are listed, but any kernel that has incorporated the recent perf changes without the added NULL check is vulnerable.

Risk and Exploitability

The CVSS score is 7.0 and the EPSS score is unavailable. The description indicates that the crash occurs during profiling BPF program execution, so it is inferred that the attack requires local execution privileges or the ability to load such programs. This could involve CAP_PERFMON or CAP_SYS_ADMIN permissions, but the exact required privilege set is not explicitly stated in the CVE data. The vulnerability is not listed in the CISA KEV catalog, indicating no known exploits at the time of analysis.

Generated by OpenCVE AI on May 9, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the NULL check for current->mm in perf_callchain_user
  • If a patch cannot be applied immediately, disable or remove perf callchain user features that trigger the crash, or unload any active BPF profiling programs
  • Restrict permission for running profiling BPF programs by limiting CAP_PERFMON or CAP_SYS_ADMIN privileges to trusted users

Generated by OpenCVE AI on May 9, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-826
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...] In addition, move storing the top-level stack entry to generic perf_callchain_user to make sure the top-evel entry is always captured, even if current->mm is NULL. [Maddy: fixed message to avoid checkpatch format style error]
Title powerpc, perf: Check that current->mm is alive before getting user callchain
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:52.954Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:53.597

Modified: 2026-05-08T15:16:53.597

Link: CVE-2026-43416

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43416 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:30:17Z

Weaknesses