HIGH
perf Overflow Race
CVE-2026-23271
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a race condition in the perf subsystem leading to a use-after-free. This can result in kernel memory corruption, privilege escalation, or system crashes when perf software events are processed concurrently with event cleanup operations.
Vulnerability analysis
The vulnerability stems from insufficient synchronization in __perf_event_overflow(), which can run with only preemption disabled for software events. This creates a race window against perf_event_exit_event() and related cleanup functions that concurrently free resources—including BPF programs and the perf_event structure itself—while the overflow path still references them. The fix ensures IRQs are disabled in the software event overflow path and adds state checking to serialize against event removal, closing the use-after-free window.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | 4df1a45819e5 |
| 6.12 | 6.12.77 | 5c48fdc4b462 |
| 6.18 | 6.18.17 | 3f89b61dd504 |
| 6.19 | 6.19.7 | bb190628fe5f |
| 6.6 | 6.6.130 | 4f8d58123378 |
| mainline | 7.0 | c9bc1753b3cc |