CVE-2026-23014
Published: 28 January 2026
Summary
CVE-2026-23014 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23014 is a vulnerability in the Linux kernel's perf subsystem, specifically affecting software events (swevent) that utilize high-resolution timers (hrtimers). The issue arises because the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() can leave the hrtimer active even after the associated perf event is freed, potentially leading to use-after-free conditions or related memory corruption. The vulnerability was resolved by installing a perf_event::destroy handler to ensure a full hrtimer_cancel() is performed on the event free path.
The attack requires local access (AV:L) with low privileges (PR:L), low complexity (AC:L), and no user interaction (UI:N), resulting in a CVSS v3.1 base score of 7.8 (S:U/C:H/I:H/A:H). A local attacker could exploit this to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution, privilege escalation, or system crashes within the kernel context.
Mitigation is provided through kernel patches, including commits deee9dfb111ab00f9dfd46c0c7e36656b80f5235 and ff5860f5088e9076ebcccf05a6ca709d5935cfa9 available at git.kernel.org/stable, which security practitioners should apply to affected Linux kernel versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4926
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets…
more
freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in perf enables direct exploitation for privilege escalation to root/kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the Linux kernel perf subsystem flaw via patches ensuring proper hrtimer cancellation to eliminate the use-after-free vulnerability.
Provides kernel memory protections such as SMAP, SMEP, and KASLR that mitigate exploitation of the use-after-free condition in perf swevents even if unpatched.
Enables vulnerability scanning to identify affected kernel versions with CVE-2026-23014, triggering remediation to prevent local low-privilege exploitation.