CVE-2026-23271 in Linux
Summary
by MITRE • 03/20/2026
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled.
This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/23/2026
The vulnerability identified as CVE-2026-23271 represents a critical race condition within the Linux kernel's performance monitoring subsystem, specifically affecting the interaction between performance event overflow handling and context removal operations. This issue resides in the perf subsystem which provides performance monitoring capabilities through hardware and software performance counters. The flaw manifests when the __perf_event_overflow() function executes with insufficient interrupt protection, creating a window where concurrent operations can corrupt the state of performance events during overflow processing. The vulnerability occurs because software events may invoke __perf_event_overflow() with only preemption disabled rather than full interrupt disabling, which is essential for maintaining atomicity in the overflow handling path.
The technical flaw stems from improper interrupt management during the performance event overflow processing sequence, where the system fails to ensure that all possible call chains execute with interrupts disabled. This race condition specifically impacts the relationship between __perf_event_overflow() and perf_remove_from_context() functions, creating a scenario where the overflow handler may attempt to access memory or resources that have already been freed by concurrent cleanup operations. When perf_event_exit_event() and related functions execute to remove performance events from context, they may free BPF programs and other associated resources while __perf_event_overflow() is still attempting to process the overflow event, leading to potential memory corruption, system instability, or privilege escalation opportunities. The vulnerability is classified under CWE-362, which addresses race conditions in concurrent programming where multiple threads or processes access shared resources without proper synchronization mechanisms.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling malicious actors to exploit the race condition for privilege escalation or denial-of-service attacks. Attackers could leverage this flaw to manipulate performance monitoring data, corrupt kernel memory structures, or gain elevated privileges within the system. The vulnerability affects systems running Linux kernels that utilize the perf subsystem for performance monitoring, which includes virtually all modern Linux distributions used in enterprise and cloud environments. Given the widespread use of performance monitoring features in system administration, security auditing, and application profiling, this vulnerability represents a significant risk to system integrity and security. The timing of the race condition makes exploitation particularly challenging but not impossible, as it requires precise coordination of concurrent operations to trigger the memory corruption scenario.
Mitigation strategies for CVE-2026-23271 focus on ensuring proper interrupt handling and synchronization within the perf subsystem. System administrators should prioritize updating to kernel versions that contain the patched implementation, which enforces that __perf_event_overflow() executes with interrupts disabled across all possible call chains. The fix implements stricter interrupt protection mechanisms that prevent the race condition between overflow processing and context removal operations. Additionally, organizations should monitor their systems for performance monitoring anomalies that might indicate exploitation attempts, as the vulnerability could manifest through unexpected system behavior or performance counter corruption. Security teams should also consider implementing additional runtime protections and monitoring for concurrent access patterns that might indicate attempts to exploit the race condition. The fix aligns with ATT&CK technique T1059.006 for privilege escalation through kernel exploitation, and addresses the broader category of kernel-level race conditions that can lead to system compromise. Regular kernel updates and security assessments remain the primary defense mechanism against this class of vulnerabilities, as they ensure protection against known race conditions and memory corruption flaws in kernel subsystems.