Cyber Resilience

CVE-2026-23014

High

Published: 28 January 2026

Published
28 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23014 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23014 is a vulnerability in the Linux kernel's perf subsystem, specifically affecting software events (swevent) that utilize high-resolution timers (hrtimers). The issue arises because the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() can leave the hrtimer active even after the associated perf event is freed, potentially leading to use-after-free conditions or related memory corruption. The vulnerability was resolved by installing a perf_event::destroy handler to ensure a full hrtimer_cancel() is performed on the event free path.

The attack requires local access (AV:L) with low privileges (PR:L), low complexity (AC:L), and no user interaction (UI:N), resulting in a CVSS v3.1 base score of 7.8 (S:U/C:H/I:H/A:H). A local attacker could exploit this to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution, privilege escalation, or system crashes within the kernel context.

Mitigation is provided through kernel patches, including commits deee9dfb111ab00f9dfd46c0c7e36656b80f5235 and ff5860f5088e9076ebcccf05a6ca709d5935cfa9 available at git.kernel.org/stable, which security practitioners should apply to affected Linux kernel versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets…

more

freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel use-after-free in perf enables direct exploitation for privilege escalation to root/kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.18, 6.19 · 6.17.8 — 6.18 · 6.18.1 — 6.18.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the Linux kernel perf subsystem flaw via patches ensuring proper hrtimer cancellation to eliminate the use-after-free vulnerability.

prevent

Provides kernel memory protections such as SMAP, SMEP, and KASLR that mitigate exploitation of the use-after-free condition in perf swevents even if unpatched.

detect

Enables vulnerability scanning to identify affected kernel versions with CVE-2026-23014, triggering remediation to prevent local low-privilege exploitation.

References