CVE-2026-23271
Published: 20 March 2026
Summary
CVE-2026-23271 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23271 is a race condition vulnerability in the Linux kernel's perf subsystem. The issue occurs between __perf_event_overflow() and perf_remove_from_context(), where __perf_event_overflow() can execute with only preemption disabled rather than IRQs disabled across all callchains, particularly for software events. This creates a race with perf_event_exit_event() and related functions that free resources expected to remain present in the overflow path, such as BPF programs.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker requiring low privileges, with low attack complexity and no user interaction. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially through use-after-free scenarios involving freed kernel resources like BPF programs.
The vulnerability has been addressed in Linux kernel stable trees via patches in the following commits: https://git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12, https://git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0, https://git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef, https://git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87, and https://git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e. Security practitioners should update affected kernels to versions incorporating these fixes to ensure __perf_event_overflow() runs with IRQs disabled in all scenarios.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13605
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption…
more
disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition enabling use-after-free exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through application of Linux kernel patches for CVE-2026-23271 directly eliminates the race condition in the perf subsystem by ensuring IRQs are disabled in __perf_event_overflow().
Vulnerability scanning identifies systems with vulnerable kernel versions affected by the perf race condition in CVE-2026-23271.
Receiving kernel security advisories enables prompt awareness and response to CVE-2026-23271, facilitating patching before local exploitation.