Summaryinfo

A vulnerability was found in Linux Kernel up to 6.18.16/6.19.6/7.0-rc1. It has been classified as critical. This issue affects the function ctx_sched_in of the component perf. This manipulation causes buffer overflow. This vulnerability is handled as CVE-2026-23311. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.18.16/6.19.6/7.0-rc1. Affected by this vulnerability is the function ctx_sched_in of the component perf. The manipulation with an unknown input leads to a buffer overflow vulnerability. The CWE definition for the vulnerability is CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix invalid wait context in ctx_sched_in() Lockdep found a bug in the event scheduling when a pinned event was failed and wakes up the threads in the ring buffer like below. It seems it should not grab a wait-queue lock under perf-context lock. Let's do it with irq_work. [ 39.913691] ============================= [ 39.914157] [ BUG: Invalid wait context ] [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted [ 39.915271] ----------------------------- [ 39.915731] repro/837 is trying to lock: [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60 [ 39.917182] other info that might help us debug this: [ 39.917761] context-{5:5} [ 39.918079] 4 locks held by repro/837: [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0 [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0 [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0 [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2026-23311 since 01/13/2026. The exploitation appears to be easy. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/30/2026).

The vulnerability scanner Nessus provides a plugin with the ID 303739 (Linux Distros Unpatched Vulnerability : CVE-2026-23311), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.18.17, 6.19.7 or 7.0-rc2 eliminates this vulnerability. Applying the patch c67ab059953e3b66cb17ddd6524c23f9e1f6526d/825f218ca70ef394c2b8546b313711d867b24584/486ff5ad49bc50315bcaf6d45f04a33ef0a45ced is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (303739) and CERT Bund (WID-SEC-2026-0861). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.18.7
• 6.18.8
• 6.18.9
• 6.18.10
• 6.18.11
• 6.18.12
• 6.18.13
• 6.18.14
• 6.18.15
• 6.18.16
• 6.19.0
• 6.19.1
• 6.19.2
• 6.19.3
• 6.19.4
• 6.19.5
• 6.19.6
• 7.0-rc1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion