HIGH
perf Swevent Timer Leak
CVE-2026-23014
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.6MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.
02KernelScan AI Analysis
Risk summary
Local users with access to perf events can trigger a use-after-free in the kernel's perf subsystem. By creating software events (e.g., cpu-clock) and destroying them while the hrtimer callback is executing, the hrtimer may access freed memory. This can lead to kernel crashes, information disclosure, or memory corruption.
Vulnerability analysis
The vulnerability is a race condition in the perf software event (swevent) hrtimer cleanup path. A previous fix changed perf_swevent_cancel_hrtimer() to use hrtimer_try_to_cancel() to avoid a deadlock. However, hrtimer_try_to_cancel() can return -1 if the timer callback is currently running, without waiting for it to complete. If the perf_event is freed while the callback is still executing, the callback accesses freed heap memory (use-after-free). The fix installs a perf_event::destroy handler that calls hrtimer_cancel(), which safely waits for any running callback to finish before the event is destroyed. This affects local users who can create perf events, typically requiring low privileges (CAP_PERFMON or equivalent, or unprivileged access depending on perf_event_paranoid configuration).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.6 | deee9dfb111a |
| mainline | 6.19 | ff5860f5088e |