Cyber Resilience

CVE-2026-23248

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23248 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-23248 is a refcount bug and potential use-after-free (UAF) vulnerability in the Linux kernel's perf subsystem, specifically within the perf_mmap function. The issue arises from a race condition between a failing mmap setup and a concurrent mmap operation on a dependent event, such as one using output redirection. During perf_mmap, a ring buffer is allocated and assigned to event->rb while holding the mmap_mutex, but the mutex is released before calling map_range. If map_range fails, cleanup via perf_mmap_close occurs, yet another thread can acquire the mutex, observe the rb pointer, and increment its reference count, leading to a refcount_t addition on 0 or UAF if the count has already reached zero. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the race condition through concurrent mmap operations on perf events, potentially leading to use-after-free or refcount saturation warnings. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, denial of service, or arbitrary code execution within the kernel context.

The provided patch references from kernel.org stable branches detail the mitigation: extend the mmap_mutex scope to encompass the map_range call, ensuring atomic ring buffer initialization, mapping, or cleanup on failure. This prevents concurrent access to half-initialized or dying ring buffers. Security practitioners should apply the commits (77de62ad3de3967818c3dbe656b7336ebee461d2, ac7ecb65af170a7fc193e7bd8be15dac84ec6a56, c27dea9f50ed525facb62ef647dddc4722456e07) to affected Linux kernels.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix refcount bug and potential UAF in perf_mmap Syzkaller reported a refcount_t: addition on 0; use-after-free warning in perf_mmap. The issue is caused by a race condition between a…

more

failing mmap() setup and a concurrent mmap() on a dependent event (e.g., using output redirection). In perf_mmap(), the ring_buffer (rb) is allocated and assigned to event->rb with the mmap_mutex held. The mutex is then released to perform map_range(). If map_range() fails, perf_mmap_close() is called to clean up. However, since the mutex was dropped, another thread attaching to this event (via inherited events or output redirection) can acquire the mutex, observe the valid event->rb pointer, and attempt to increment its reference count. If the cleanup path has already dropped the reference count to zero, this results in a use-after-free or refcount saturation warning. Fix this by extending the scope of mmap_mutex to cover the map_range() call. This ensures that the ring buffer initialization and mapping (or cleanup on failure) happens atomically effectively, preventing other threads from accessing a half-initialized or dying ring buffer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF/race in perf_mmap directly enables privilege escalation via arbitrary kernel code execution from low-privileged user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.14 — 6.18.17 · 6.19 — 6.19.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely flaw remediation through patching the specific race condition and UAF in the Linux kernel's perf_mmap function as detailed in the provided commits.

prevent

Implements memory protection mechanisms that mitigate use-after-free exploitation by preventing unauthorized kernel memory access and corruption.

prevent

Enforces secure kernel configuration settings, such as kernel.perf_event_paranoid, to restrict low-privilege access to vulnerable perf events and reduce race condition exploitability.

References