Cyber Resilience

CVE-2026-23271

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23271 is a high-severity Race Condition (CWE-362) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23271 is a race condition vulnerability in the Linux kernel's perf subsystem. The issue occurs between __perf_event_overflow() and perf_remove_from_context(), where __perf_event_overflow() can execute with only preemption disabled rather than IRQs disabled across all callchains, particularly for software events. This creates a race with perf_event_exit_event() and related functions that free resources expected to remain present in the overflow path, such as BPF programs.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker requiring low privileges, with low attack complexity and no user interaction. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially through use-after-free scenarios involving freed kernel resources like BPF programs.

The vulnerability has been addressed in Linux kernel stable trees via patches in the following commits: https://git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12, https://git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0, https://git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef, https://git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87, and https://git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e. Security practitioners should update affected kernels to versions incorporating these fixes to ensure __perf_event_overflow() runs with IRQs disabled in all scenarios.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption…

more

disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel race condition enabling use-after-free exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23004Same product: Linux Linux Kernel
CVE-2026-23161Same product: Linux Linux Kernel
CVE-2026-31700Same product: Linux Linux Kernel
CVE-2026-31761Same product: Linux Linux Kernel
CVE-2026-23240Same product: Linux Linux Kernel
CVE-2026-23393Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2026-23169Same product: Linux Linux Kernel
CVE-2026-23410Same product: Linux Linux Kernel
CVE-2026-23239Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.31 — 6.1.167 · 6.2 — 6.6.130 · 6.7 — 6.12.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through application of Linux kernel patches for CVE-2026-23271 directly eliminates the race condition in the perf subsystem by ensuring IRQs are disabled in __perf_event_overflow().

detect

Vulnerability scanning identifies systems with vulnerable kernel versions affected by the perf race condition in CVE-2026-23271.

detect

Receiving kernel security advisories enables prompt awareness and response to CVE-2026-23271, facilitating patching before local exploitation.

References