CVE-2026-23158
Published: 14 February 2026
Summary
CVE-2026-23158 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring identification, reporting, and application of kernel patches that fix the mutex lifetime issue in gpio_virtuser_device_config_group_release().
Prevents exploitation by restricting or prohibiting the unnecessary gpio-virtuser kernel module, avoiding exposure of the vulnerable configfs release path.
Provides memory protection mechanisms that mitigate exploitation of the use-after-free in the kernel's mutex unlock after device free.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free enables privilege escalation via arbitrary code execution in kernel context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in configfs release path The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs,…
more
causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_release() destroys the mutex and frees the device while still inside the guard(mutex) scope. When the function returns, the guard cleanup invokes mutex_unlock(&dev->lock), resulting in a slab use-after-free. Limit the mutex lifetime by using a scoped_guard() only around the activation check, so that the lock is released before mutex_destroy() and kfree() are called.
Deeper analysisAI
CVE-2026-23158 is a use-after-free vulnerability in the Linux kernel's gpio-virtuser configfs release path, published on 2026-02-14. The flaw arises in gpio_virtuser_device_config_group_release(), where the device mutex is protected by guard(mutex), but the mutex is destroyed and the device is freed before the guard cleanup executes. This results in mutex_unlock() operating on freed memory, classified as CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or system denial of service within the kernel context.
Kernel patches referenced in the stable git commits (53ad4a948a4586359b841d607c08fb16c5503230, 7bec90f605cfb138006f5ba575f2310593347110, and 815a8e3bf72811d402b30bd4a53cde5e9df7a563) mitigate the issue by using a scoped_guard() to limit the mutex lifetime to only the activation check. This ensures the lock is released before mutex_destroy() and kfree() are invoked, preventing the use-after-free. Security practitioners should apply these upstream fixes to affected Linux kernel versions.
Details
- CWE(s)