HIGH Published 2026-04-22

perf PMU Context OOB

CVE-2026-31528

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmu_ctx->pmu for groups Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back. This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu. Turns out, inherit uses event->pmu to clone the events, effectively undoing the move_group case for all inherited contexts. Fix this by also making inherit use pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context. Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the group case.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A local attacker with access to perf events could trigger out-of-bounds memory access by manipulating event groups, particularly when the group leader is a software event. This could lead to kernel memory corruption, system crashes, or potentially privilege escalation. The vulnerability affects systems where perf events are enabled and accessible to users.

Affectedkernel/events/core.c

Vulnerability analysis

Root Cause: The perf subsystem was inconsistently using event->pmu vs pmu_ctx->pmu when handling event groups. During event inheritance and group reads, the code used event->pmu instead of pmu_ctx->pmu, which could cause events to be associated with the wrong PMU context. This mismatch led to using incorrect transaction handlers and could result in out-of-bounds memory access when group_sched_in() fails and needs to roll back operations.

Attack Surface: This is a local vulnerability that affects the perf subsystem. It requires local access to create perf events and manipulate event groups. The vulnerability is triggered through normal perf operations like event inheritance during process forking or reading grouped events, making it accessible to any user with permission to use perf events.

Fix Mechanism: The patch ensures consistent use of pmu_ctx->pmu throughout the perf subsystem. Specifically: (1) In inherit_event(), it changes from using child_event->pmu to parent_event->pmu_ctx->pmu when finding the PMU context, ensuring inherited events use the correct PMU context. (2) In __perf_event_read(), it uses event->pmu_ctx->pmu for group operations instead of event->pmu. (3) The code is also cleaned up to use guard() for spinlock management and perf_pmu_read() helper function.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`3a696e84a8b1`
6.18	6.18.21	`35f7914e54fe`
6.19	6.19.11	`4c7594460465`
6.6	6.6.131	`656f35b46399`
mainline	7.0	`4b9ce6719606`