CVE-2026-23107 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL.
In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state:
| # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000
| Internal error: Oops: 0000000096000046 [#1] SMP
| Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]---
Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2026
The vulnerability described in CVE-2026-23107 affects the Linux kernel's handling of signal context restoration on ARM64 architectures, specifically involving the Scalable Vector Extension (SVE) and Streaming SVE (SSVE) features. This issue arises during the process of restoring a ZA context, which is part of the SVE state management for tasks executing on ARM64 systems. The flaw occurs when the kernel attempts to restore a ZA context without first ensuring that the task's sve_state structure is properly allocated. This oversight leads to a scenario where the task's TIF_SME flag is set to indicate that streaming mode is active, but the actual sve_state pointer remains NULL, creating an inconsistent state that can result in kernel crashes.
The technical root cause stems from a missing allocation check within the restore_za_context() function. When a task's ZA context is restored, the kernel sets the TIF_SME flag to indicate streaming mode, but fails to verify or allocate the necessary sve_state structure beforehand. This situation commonly occurs in legitimate but uncommon cases where a task's state is saved and restored by external mechanisms such as CRIU (Checkpoint/Restore In Userspace), which may not have initialized the sve_state structure. The vulnerability manifests when userspace attempts to enter streaming mode while sve_state is NULL, leading to a subsequent NULL pointer dereference when the kernel tries to store register state in the nonexistent sve_state structure.
The operational impact of this vulnerability is significant, as it can lead to kernel oops and system crashes, particularly when signal return operations involve ZA context restoration. The error trace shows that the kernel crashes in the sve_save_state function when attempting to access a NULL pointer, indicating that the system has entered an invalid state where TIF_SME is set but no valid sve_state exists to handle the streaming mode operations. This type of vulnerability can be exploited by malicious users to cause denial of service or potentially escalate privileges, as the kernel's handling of signal contexts directly impacts system stability and security boundaries.
The fix implemented addresses the core issue by ensuring that restore_za_context() properly allocates the task's sve_state before setting the TIF_SME flag. This approach mirrors the existing behavior when SME traps are taken by the kernel, maintaining consistency in how sve_state is managed. The solution preserves any existing SVE/SSVE state that might have been restored from a separate signal context, preventing data loss while ensuring proper allocation. This fix aligns with the CWE-476 principle of null pointer dereference prevention and follows best practices for memory management in kernel space operations. The mitigation strategy ensures that all necessary structures are properly initialized before flags indicating their usage are set, preventing the inconsistent state that led to the crash.
This vulnerability is categorized under the ATT&CK technique T1059.007 for kernel-mode rootkits and T1547.001 for privilege escalation through kernel manipulation. The fix demonstrates proper defensive programming practices by ensuring preconditions are met before state transitions occur, which aligns with the principle of least privilege and system integrity preservation. The solution maintains backward compatibility while strengthening the kernel's robustness against edge cases in signal handling and process state management.