{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23014", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.940Z", "datePublished": "2026-01-28T14:24:44.189Z", "dateUpdated": "2026-05-11T21:58:20.109Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:20.109Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Ensure swevent hrtimer is properly destroyed\n\nWith the change to hrtimer_try_to_cancel() in\nperf_swevent_cancel_hrtimer() it appears possible for the hrtimer to\nstill be active by the time the event gets freed.\n\nMake sure the event does a full hrtimer_cancel() on the free path by\ninstalling a perf_event::destroy handler."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "eb3182ef0405ff2f6668fd3e5ff9883f60ce8801", "lessThan": "deee9dfb111ab00f9dfd46c0c7e36656b80f5235", "status": "affected", "versionType": "git"}, {"version": "eb3182ef0405ff2f6668fd3e5ff9883f60ce8801", "lessThan": "ff5860f5088e9076ebcccf05a6ca709d5935cfa9", "status": "affected", "versionType": "git"}, {"version": "6b8c512811644cf2f5eaf6f44e928683c54127f0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235"}, {"url": "https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9"}], "title": "perf: Ensure swevent hrtimer is properly destroyed", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "57D56998-E0C3-4F58-BBF0-B20D1B4322C8", "versionEndExcluding": "6.18", "versionStartIncluding": "6.17.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "244757F1-F957-45E1-ADDD-D008246BCF53", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.18.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Ensure swevent hrtimer is properly destroyed\n\nWith the change to hrtimer_try_to_cancel() in\nperf_swevent_cancel_hrtimer() it appears possible for the hrtimer to\nstill be active by the time the event gets freed.\n\nMake sure the event does a full hrtimer_cancel() on the free path by\ninstalling a perf_event::destroy handler."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nperf: Asegurar que el hrtimer de swevent se destruya correctamente\n\nCon el cambio a hrtimer_try_to_cancel() en perf_swevent_cancel_hrtimer(), parece posible que el hrtimer siga activo para cuando el evento es liberado.\n\nAsegurarse de que el evento realice un hrtimer_cancel() completo en la ruta de liberaci\u00f3n mediante la instalaci\u00f3n de un controlador perf_event::destroy."}], "id": "CVE-2026-23014", "lastModified": "2026-04-27T14:16:29.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T15:16:17.833", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: perf: Ensure swevent hrtimer is properly destroyed", "id": "2433917", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433917"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23014", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23014\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23014\nhttps://lore.kernel.org/linux-cve-announce/2026012847-CVE-2026-23014-85e6@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-29T02:32:03.778965+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the hrtimer_cancel fix, such as the latest patch release of 6.18 or any 6.19 release candidate that incorporates the fix", "Reboot the system after applying the update to ensure the new kernel is active", "If an update is not immediately available, temporarily disable perf events until the kernel is updated"], "summary": {"action": "Apply Patch", "impact": "Kernel instability"}, "threat_synthesis": {"affected_systems": "All versions of the Linux kernel from 6.18 onward, including the 6.19 release candidates 1 through 8, are affected. Kernel builds that lack the recent hrtimer_cancel fix for perf events are vulnerable.", "description_and_impact": "This vulnerability occurs when a high\u2011resolution timer used by the perf subsystem is not fully canceled before its associated perf event is freed. As a result, the timer may remain active, potentially allowing the kernel to execute timer callbacks with invalid state information once the event resources have been released. This can lead to unpredictable kernel behavior, such as data corruption, crashes, or instability, although no direct data\u2011exfiltration or privilege escalation is described.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity. The EPSS score of less than 1% suggests a very low likelihood of automated exploitation at present, and the vulnerability is not listed in CISA's KEV catalog. The description does not specify whether a local or elevated privilege is required; the likely attack vector is local execution, as it involves interacting with kernel perf events; however, this remains an inference."}}}}, "created": "2026-04-18T18:45:05.762260+00:00", "updated": "2026-04-29T02:45:35.961619+00:00", "vendors": []}