{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23311", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:06.915Z", "dateUpdated": "2026-05-11T22:04:25.774Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:25.774Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix invalid wait context in ctx_sched_in()\n\nLockdep found a bug in the event scheduling when a pinned event was\nfailed and wakes up the threads in the ring buffer like below.\n\nIt seems it should not grab a wait-queue lock under perf-context lock.\nLet's do it with irq_work.\n\n [ 39.913691] =============================\n [ 39.914157] [ BUG: Invalid wait context ]\n [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted\n [ 39.915271] -----------------------------\n [ 39.915731] repro/837 is trying to lock:\n [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60\n [ 39.917182] other info that might help us debug this:\n [ 39.917761] context-{5:5}\n [ 39.918079] 4 locks held by repro/837:\n [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0\n [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0\n [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0\n [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "c67ab059953e3b66cb17ddd6524c23f9e1f6526d", "status": "affected", "versionType": "git"}, {"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "825f218ca70ef394c2b8546b313711d867b24584", "status": "affected", "versionType": "git"}, {"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "486ff5ad49bc50315bcaf6d45f04a33ef0a45ced", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c67ab059953e3b66cb17ddd6524c23f9e1f6526d"}, {"url": "https://git.kernel.org/stable/c/825f218ca70ef394c2b8546b313711d867b24584"}, {"url": "https://git.kernel.org/stable/c/486ff5ad49bc50315bcaf6d45f04a33ef0a45ced"}], "title": "perf/core: Fix invalid wait context in ctx_sched_in()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix invalid wait context in ctx_sched_in()\n\nLockdep found a bug in the event scheduling when a pinned event was\nfailed and wakes up the threads in the ring buffer like below.\n\nIt seems it should not grab a wait-queue lock under perf-context lock.\nLet's do it with irq_work.\n\n [ 39.913691] =============================\n [ 39.914157] [ BUG: Invalid wait context ]\n [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted\n [ 39.915271] -----------------------------\n [ 39.915731] repro/837 is trying to lock:\n [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60\n [ 39.917182] other info that might help us debug this:\n [ 39.917761] context-{5:5}\n [ 39.918079] 4 locks held by repro/837:\n [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0\n [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0\n [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0\n [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470"}], "id": "CVE-2026-23311", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:27.327", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/486ff5ad49bc50315bcaf6d45f04a33ef0a45ced"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/825f218ca70ef394c2b8546b313711d867b24584"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c67ab059953e3b66cb17ddd6524c23f9e1f6526d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: perf/core: Fix invalid wait context in ctx_sched_in()", "id": "2451208", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451208"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["A flaw was found in the Linux kernel's perf/core component. This vulnerability occurs due to an invalid wait context during event scheduling, specifically when a pinned event fails and attempts to wake up threads in the ring buffer. An attacker could potentially exploit this to cause system instability or a denial of service (DoS) by triggering this specific event scheduling scenario. This issue is related to incorrect handling of wait-queue locks under perf-context locks."], "name": "CVE-2026-23311", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23311\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23311\nhttps://lore.kernel.org/linux-cve-announce/2026032529-CVE-2026-23311-8c0b@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,c67ab059953e3b66cb17ddd6524c23f9e1f6526d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,825f218ca70ef394c2b8546b313711d867b24584)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,486ff5ad49bc50315bcaf6d45f04a33ef0a45ced)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:42:42.912571+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the commit 486ff5ad49bc50315bcaf6d45f04a33ef0a45ced or the patched 6.15.0-next release.", "Verify that the running kernel reports the patch commit hash.", "If an upgrade cannot be performed immediately, disable or limit perf event pinning to avoid the failure condition that triggers the invalid wait context.", "Monitor system logs for \u201cInvalid wait context\u201d messages to detect any occurrence.", "Ensure kernel integrity by verifying signatures of loaded modules and by applying security hardening mitigations such as CONFIG_IRQ_WORK."], "summary": {"action": "Immediate Patch", "impact": "Kernel crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any Linux kernel that contains the buggy perf/core implementation before the patch. The log excerpt indicates the issue appears in kernel 6.15.0-next-20250530-next. All Linux releases that have not yet applied the commit 486ff5ad49bc50315bcaf6d45f04a33ef0a45ced are potentially vulnerable. The vendor is the Linux kernel project.", "description_and_impact": "The flaw lies in the Linux kernel's performance event scheduler. An invalid wait context can arise when a pinned event fails and the scheduler attempts to wake threads while holding a wait\u2011queue lock inside the perf\u2011context lock. This misuse of locking leads to a kernel panic and denial of service. The weakness is classified as CWE-413.", "risk_and_exploitability": "The CVSS score of 5.5 signals moderate severity, while the EPSS score of less than 1 \u2011\u202f% denotes a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no public exploits are currently known. Attacking this flaw would likely require a local user or kernel module capable of creating a failing perf event; no clear remote exploitation path is documented."}}}}, "created": "2026-03-25T21:15:18.501156+00:00", "updated": "2026-03-27T09:49:57.343982+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}