{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23127", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.970Z", "datePublished": "2026-02-14T15:09:56.237Z", "dateUpdated": "2026-05-11T22:00:39.060Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:39.060Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix refcount warning on event->mmap_count increment\n\nWhen calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the\nfollowing warning is triggered:\n\n refcount_t: addition on 0; use-after-free.\n WARNING: lib/refcount.c:25\n\nPoC:\n\n struct perf_event_attr attr = {0};\n int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n PERF_FLAG_FD_OUTPUT);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nThis occurs when creating a group member event with the flag\nPERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing\nthe event triggers the warning.\n\nSince the event has copied the output_event in perf_event_set_output(),\nevent->rb is set. As a result, perf_mmap_rb() calls\nrefcount_inc(&event->mmap_count) when event->mmap_count = 0.\n\nDisallow the case when event->mmap_count = 0. This also prevents two\nevents from updating the same user_page."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "448f97fba9013ffa13f5dd82febd18836b189499", "lessThan": "23c0e4bd93d0b250775162faf456470485ac9fc7", "status": "affected", "versionType": "git"}, {"version": "448f97fba9013ffa13f5dd82febd18836b189499", "lessThan": "d06bf78e55d5159c1b00072e606ab924ffbbad35", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/23c0e4bd93d0b250775162faf456470485ac9fc7"}, {"url": "https://git.kernel.org/stable/c/d06bf78e55d5159c1b00072e606ab924ffbbad35"}], "title": "perf: Fix refcount warning on event->mmap_count increment", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B26C1E1-97A9-48B8-81C6-B6A3A0FC6C7E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix refcount warning on event->mmap_count increment\n\nWhen calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the\nfollowing warning is triggered:\n\n refcount_t: addition on 0; use-after-free.\n WARNING: lib/refcount.c:25\n\nPoC:\n\n struct perf_event_attr attr = {0};\n int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n PERF_FLAG_FD_OUTPUT);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nThis occurs when creating a group member event with the flag\nPERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing\nthe event triggers the warning.\n\nSince the event has copied the output_event in perf_event_set_output(),\nevent->rb is set. As a result, perf_mmap_rb() calls\nrefcount_inc(&event->mmap_count) when event->mmap_count = 0.\n\nDisallow the case when event->mmap_count = 0. This also prevents two\nevents from updating the same user_page."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nperf: Correcci\u00f3n de la advertencia de refcount en el incremento de event->mmap_count\n\nAl llamar a refcount_inc(&event->mmap_count) dentro de perf_mmap_rb(), se activa la siguiente advertencia:\n\n refcount_t: adici\u00f3n en 0; uso despu\u00e9s de liberaci\u00f3n.\n ADVERTENCIA: lib/refcount.c:25\n\nPoC:\n\n struct perf_event_attr attr = {0};\n int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n PERF_FLAG_FD_OUTPUT);\n mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nEsto ocurre al crear un evento miembro de grupo con la bandera PERF_FLAG_FD_OUTPUT. El l\u00edder del grupo debe ser mapeado con mmap y luego mapear el evento con mmap activa la advertencia.\n\nDado que el evento ha copiado el output_event en perf_event_set_output(), event->rb est\u00e1 establecido. Como resultado, perf_mmap_rb() llama a refcount_inc(&event->mmap_count) cuando event->mmap_count = 0.\n\nNo permitir el caso cuando event->mmap_count = 0. Esto tambi\u00e9n evita que dos eventos actualicen la misma user_page."}], "id": "CVE-2026-23127", "lastModified": "2026-03-18T14:49:58.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T15:16:07.963", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/23c0e4bd93d0b250775162faf456470485ac9fc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d06bf78e55d5159c1b00072e606ab924ffbbad35"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: perf: Fix refcount warning on event->mmap_count increment", "id": "2439849", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439849"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23127", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23127\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23127\nhttps://lore.kernel.org/linux-cve-announce/2026021410-CVE-2026-23127-d01a@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[448f97fba9013ffa13f5dd82febd18836b189499,23c0e4bd93d0b250775162faf456470485ac9fc7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[448f97fba9013ffa13f5dd82febd18836b189499,d06bf78e55d5159c1b00072e606ab924ffbbad35)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.8,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:25:40.885354+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the part\u2011of\u2011release fix (e.g., 6.19.1 or later).", "If an immediate kernel update is not possible, restrict the use of perf_event_open for untrusted processes by removing the CAP_PERFMON capability or disabling it via sysctl settings.", "Monitor system logs for the refcount warning and consider temporarily disabling or carefully reviewing any applications that create perf events with PERF_FLAG_FD_OUTPUT."], "summary": {"action": "Apply patch", "impact": "Potential kernel crash due to use\u2011after\u2011free"}, "threat_synthesis": {"affected_systems": "The issue exists in the Linux kernel, affecting all release candidate versions of 6.19 from rc1 through rc6 and any earlier kernels that had not yet incorporated the patch. The vulnerability is present in the kernel source itself, regardless of distribution, until the patch is applied.", "description_and_impact": "A defect in the Linux kernel's performance event subsystem triggers a refcount warning when a group leader \"mmap\" operation is followed by a group member \"mmap\" with the PERF_FLAG_FD_OUTPUT flag. The code increments the event->mmap_count counter from zero, which can lead to a use\u2011after\u2011free situation in the kernel. The patch prevents the counter from being incremented when it is zero, eliminating the warning and averting potential memory corruption or kernel instability.", "risk_and_exploitability": "With a CVSS score of 5.5 and an EPSS of less than 1\u202f%, the probability of exploitation is low. The vulnerability is not catalogued in CISA\u2019s KEV database. An attacker would need the capability to invoke perf_event_open, typically granted to privileged or CAP_PERFMON processes, making the attack vector local. The fix mitigates the risk by preventing a use\u2011after\u2011free that could lead to a kernel crash or instability."}}}}, "created": "2026-02-16T12:01:38.795928+00:00", "updated": "2026-04-18T12:30:45.477136+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}