{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23309", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:04.828Z", "dateUpdated": "2026-05-11T22:04:23.455Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:23.455Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/trace_events_trigger.c"], "versions": [{"version": "c10f0efe57728508d796ae4ba7abe4c14ec3d8ef", "lessThan": "13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e", "status": "affected", "versionType": "git"}, {"version": "7e6556e9329bc484e9dcdab6e346d959267c0636", "lessThan": "59c15b9cc453b74beb9f04c6c398717e73612dc3", "status": "affected", "versionType": "git"}, {"version": "9b0513905e0598b9f8cfccab8e47497aed5d935d", "lessThan": "42b380f97d65e76e7b310facd525f730272daf57", "status": "affected", "versionType": "git"}, {"version": "335dfe4bc6368e70e8c15419375cf609c4f85558", "lessThan": "2ce8ece5a78da67834db7728edc801889a64f643", "status": "affected", "versionType": "git"}, {"version": "e42efbe9754da78eafe11f6bd3ca9c8a094a752a", "lessThan": "477469223b2b840f436ce204333de87cb17e5d93", "status": "affected", "versionType": "git"}, {"version": "0550069cc25f513ce1f109c88f7c1f01d63297db", "lessThan": "457965c13f0837a289c9164b842d0860133f6274", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/trace_events_trigger.c"], "versions": [{"version": "6.1.165", "lessThan": "6.1.167", "status": "affected", "versionType": "semver"}, {"version": "6.6.128", "lessThan": "6.6.130", "status": "affected", "versionType": "semver"}, {"version": "6.12.75", "lessThan": "6.12.77", "status": "affected", "versionType": "semver"}, {"version": "6.18.14", "lessThan": "6.18.17", "status": "affected", "versionType": "semver"}, {"version": "6.19.4", "lessThan": "6.19.7", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.165", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.128", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e"}, {"url": "https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3"}, {"url": "https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57"}, {"url": "https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643"}, {"url": "https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93"}, {"url": "https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274"}], "title": "tracing: Add NULL pointer check to trigger_data_free()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y."}], "id": "CVE-2026-23309", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:26.993", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tracing: Add NULL pointer check to trigger_data_free()", "id": "2451230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451230"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel. When the 'trigger_data_alloc()' function fails to allocate memory and returns a null pointer, the subsequent 'trigger_data_free()' function attempts to access this null pointer. This null pointer dereference can lead to a system crash, resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-23309", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23309\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23309\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23309-4243@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[c10f0efe57728508d796ae4ba7abe4c14ec3d8ef,13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7e6556e9329bc484e9dcdab6e346d959267c0636,59c15b9cc453b74beb9f04c6c398717e73612dc3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9b0513905e0598b9f8cfccab8e47497aed5d935d,42b380f97d65e76e7b310facd525f730272daf57)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[335dfe4bc6368e70e8c15419375cf609c4f85558,2ce8ece5a78da67834db7728edc801889a64f643)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e42efbe9754da78eafe11f6bd3ca9c8a094a752a,477469223b2b840f436ce204333de87cb17e5d93)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0550069cc25f513ce1f109c88f7c1f01d63297db,457965c13f0837a289c9164b842d0860133f6274)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0-rc1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,7.0-rc1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:26:18.188956+00:00", "value": {"mitigation_remediation": ["Verify the running kernel version on the system.", "Apply the latest stable kernel release from the distribution, ensuring that the backported patch adding a NULL check to trigger_data_free() is present.", "If a full kernel upgrade is not possible, consider disabling unused kernel tracing features to reduce the attack surface until a patch can be applied.", "Monitor system logs for kernel panic entries mentioning trigger_data_free() to detect attempts to exploit the flaw.", "If an advisory from the distribution vendor is available, follow the vendor\u2019s recommended update or replacement procedures."], "summary": {"action": "Immediate Patch", "impact": "Kernel crash causing denial of service"}, "threat_synthesis": {"affected_systems": "The flaw resides in the Linux kernel tracing code, affecting all kernel releases that contain the trigger_data_free routine prior to the introduction of a NULL check. The vulnerability was discovered in backports to version 6.18.y, so any distribution shipping those or earlier kernels without the patch is impacted.", "description_and_impact": "A failure in the Linux kernel tracing subsystem may cause trigger_data_free() to dereference a NULL pointer, resulting in a kernel panic and a system reboot. The impact is a denial of service of the affected host, not a remote code execution or data theft.", "risk_and_exploitability": "The exploit probability is very low (EPSS < 1%) and the issue is not listed in CISA\u2019s KEV catalog. Nonetheless, a local or privileged attacker can trigger the vulnerable path and force a kernel crash, resulting in temporary denial of service. The risk is moderate but mitigated by the low likelihood of exploitation and the availability of a kernel update that resolves the issue."}}}}, "created": "2026-03-25T21:15:20.610163+00:00", "updated": "2026-03-26T12:16:47.876213+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}