CVE-2026-46272 - Vulnerability Details

- coresight: tmc-etr: Fix race condition between sysfs and perf mode

Description

In the Linux kernel, the following vulnerability has been resolved:

coresight: tmc-etr: Fix race condition between sysfs and perf mode

When trying to run perf and sysfs mode simultaneously, the WARN_ON()
in tmc_etr_enable_hw() is triggered sometimes:

WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]
[..snip..]
Call trace:
tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)
tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)
tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]
coresight_enable_path+0x1c8/0x218 [coresight]
coresight_enable_sysfs+0xa4/0x228 [coresight]
enable_source_store+0x58/0xa8 [coresight]
dev_attr_store+0x20/0x40
sysfs_kf_write+0x4c/0x68
kernfs_fop_write_iter+0x120/0x1b8
vfs_write+0x2c8/0x388
ksys_write+0x74/0x108
__arm64_sys_write+0x24/0x38
el0_svc_common.constprop.0+0x64/0x148
do_el0_svc+0x24/0x38
el0_svc+0x3c/0x130
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x1ac/0x1b0
---[ end trace 0000000000000000 ]---

Since the enablement of sysfs mode is separeted into two critical regions,
one for sysfs buffer allocation and another for hardware enablement, it's
possible to race with the perf mode. Fix this by double check whether
the perf mode's been used before enabling the hardware in sysfs mode.

mode:
[sysfs mode] [perf mode]
tmc_etr_get_sysfs_buffer()
spin_lock(&drvdata->spinlock)
[sysfs buffer allocation]
spin_unlock(&drvdata->spinlock)
spin_lock(&drvdata->spinlock)
tmc_etr_enable_hw()
drvdata->etr_buf = etr_perf->etr_buf
spin_unlock(&drvdata->spinlock)
spin_lock(&drvdata->spinlock)
tmc_etr_enable_hw()
WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at
the perf side
spin_unlock(&drvdata->spinlock)

With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.
This ensures we verify whether the perf mode's already running before we
actually allocate the buffer. Then we can save the time of
allocating/freeing the sysfs buffer if race with the perf mode.

Published: 2026-06-03

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s coresight tmc‑etr subsystem contains a race condition between sysfs and perf operations. When sysfs mode and perf mode are enabled concurrently, tmc_etr_enable_hw may be executed while the buffer pointer is uninitialized or already allocated, triggering a WARN_ON. This pathological sequence can corrupt kernel memory or cause a panic, resulting in denial of service.

Affected Systems

Any Linux kernel that includes the coresight_tmc driver and is built with tracepoint support can be affected. The CVE does not list specific release versions, so all builds prior to the commit that implements the double‑check are potentially vulnerable. This encompasses mainstream distributions as well as custom kernels that enable the coresight_tmc configuration.

Risk and Exploitability

The advisory does not provide a CVSS score, and EPSS data is unavailable while the vulnerability is not in the CISA KEV catalog. This suggests that no confirmed exploitation has been observed. Based on the description, it is inferred that an attacker would need local or privileged access to simultaneously issue sysfs writes and engage perf on the same hardware, making it a local‑threat scenario. Nonetheless, because the flaw can cause kernel memory corruption and a potential crash, the risk to availability is significant for affected systems.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`296b01fd106e787d4463974a7f42d286a5df08cd`	affected	< 38a07194bbcddb18d77dad40ba9978d994c0b74c
`296b01fd106e787d4463974a7f42d286a5df08cd`	affected	< 6906aa70d4fc5900b954136e20e27c2be6d1acab
`296b01fd106e787d4463974a7f42d286a5df08cd`	affected	< e6e43e82c79c97917cbe356c07e8a6f3f982ab53

Linux

affected

Version	Status	Constraints
`6.5`	affected	—
`0`	unaffected	< 6.5
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[296b01fd106e787d4463974a7f42d286a5df08cd,38a07194bbcddb18d77dad40ba9978d994c0b74c)`	affected	code_commit	—
`[296b01fd106e787d4463974a7f42d286a5df08cd,6906aa70d4fc5900b954136e20e27c2be6d1acab)`	affected	code_commit	—
`[296b01fd106e787d4463974a7f42d286a5df08cd,e6e43e82c79c97917cbe356c07e8a6f3f982ab53)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.5`	affected	semver	—
`[0,6.5)`	unaffected	semver	—
`[6.18.14,6.19.0.0)`	unaffected	semver	—
`[6.19.4,6.20.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that incorporates the commit fixing the race condition, such as the latest stable or mainline kernel release
If updating is not immediately possible, avoid simultaneous use of sysfs and perf mode for coresight_tmc, or limit access to the sysfs entries to privileged users only
Monitor kernel logs for WARN_ON messages referencing tmc_etr_enable_hw; if such logs appear, consider taking response actions such as rebooting or patching

Generated by OpenCVE AI on June 3, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c
https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab
https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53

History

Wed, 03 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]--- Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock) With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode.
Title		coresight: tmc-etr: Fix race condition between sysfs and perf mode
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:50:14.618Z

Updated: 2026-06-03T15:50:14.618Z

Reserved: 2026-05-13T15:03:33.109Z

Link: CVE-2026-46272

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-03T18:16:29.023

Modified: 2026-06-03T18:16:29.023

Link: CVE-2026-46272

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T20:30:36Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object