CVE-2026-23115 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

serial: Fix not set tty->port race condition

Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open console without TTY linked to the driver.

This tty_port_link_device() was added explicitly to avoid this exact issue in commit fb2b90014d78 ("tty: link tty and port before configuring it as console"), so offending commit basically reverted the fix saying it is redundant without addressing the actual race condition presented there.

Reproducible always as tty->port warning on Qualcomm SoC with most of devices disabled, so with very fast boot, and one serial device being the console:

printk: legacy console [ttyMSM0] enabled
printk: legacy console [ttyMSM0] enabled
printk: legacy bootconsole [qcom_geni0] disabled
printk: legacy bootconsole [qcom_geni0] disabled
------------[ cut here ]------------
tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver! WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1 Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6 CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC
Hardware name: Qualcomm Technologies, Inc. Eliza (DT) ... tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P) tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3)) chrdev_open (fs/char_dev.c:411) do_dentry_open (fs/open.c:962) vfs_open (fs/open.c:1094) do_open (fs/namei.c:4634) path_openat (fs/namei.c:4793) do_filp_open (fs/namei.c:4820) do_sys_openat2 (fs/open.c:1391 (discriminator 3)) ... Starting Network Name Resolution...

Apparently the flow with this small Yocto-based ramdisk user-space is:

driver (qcom_geni_serial.c): user-space: ============================ =========== qcom_geni_serial_probe() uart_add_one_port() serial_core_register_port() serial_core_add_one_port() uart_configure_port() register_console() | | open console | ... | tty_init_dev() | driver->ports[idx] is NULL
| tty_port_register_device_attr_serdev() tty_port_link_device() <- set driver->ports[idx]

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/06/2026

The vulnerability described in CVE-2026-23115 represents a critical race condition within the Linux kernel's serial driver subsystem that can lead to kernel crashes and potential security implications. This issue specifically affects Qualcomm SoC platforms where the tty port linking mechanism fails to properly establish the relationship between terminal devices and their underlying serial ports during the boot process. The root cause stems from an erroneous commit that removed a critical function call, tty_port_link_device(), which was explicitly introduced to prevent exactly this type of race condition. The vulnerability manifests when the kernel attempts to configure a serial console before the tty port is properly linked to the driver, creating a scenario where user-space applications can open console devices without proper TTY port associations.

The technical flaw occurs in the tty initialization flow where the sequence of operations is not properly synchronized. When the kernel attempts to register a console through uart_configure_port() and subsequently calls register_console(), the tty->port field remains unset because tty_port_link_device() was removed. This creates a condition where drivers attempt to access driver->ports[idx] which is NULL, leading to immediate kernel crashes as demonstrated by the warning message "ttyMSM driver does not set tty->port. This would crash the kernel." The issue is particularly pronounced on Qualcomm platforms with fast boot sequences and minimal device drivers enabled, where the timing window for the race condition becomes extremely narrow but highly reproducible.

The operational impact of this vulnerability extends beyond simple kernel panics to potentially compromise system stability and security. When the race condition occurs, the kernel crashes with a clear indication that the driver failed to set the tty->port field, which would otherwise be handled gracefully. The crash occurs during early boot processes when systemd attempts to open console devices, indicating that this vulnerability can affect system initialization and potentially prevent proper system boot. From a security perspective, this vulnerability aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and can be categorized under ATT&CK technique T1490 (Inhibit System Recovery) due to its potential to cause system instability. The vulnerability also demonstrates characteristics of improper resource management and race condition exploitation that could be leveraged by malicious actors to cause denial-of-service conditions or potentially escalate privileges in compromised systems.

The recommended mitigation strategy involves reverting the problematic commit bfc467db60b7 and ensuring that tty_port_link_device() is properly called before uart_configure_port() is executed. This approach restores the explicit fix that was previously implemented in commit fb2b90014d78, which specifically addressed this exact race condition. System administrators should ensure that all kernel updates include this fix, particularly on Qualcomm-based platforms where the vulnerability is most prevalent. Additionally, monitoring for the specific kernel warning message "tty_init_dev: ttyMSM driver does not set tty->port" can help identify systems that may be affected by this vulnerability. Organizations should also implement proper kernel version management to ensure that all devices running on Qualcomm SoCs are updated with patches that address this race condition, as the vulnerability can be exploited during system boot processes to prevent proper system initialization and operation.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00074

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!