Home

Description

In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on event->mmap_count increment When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the following warning is triggered: refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 PoC: struct perf_event_attr attr = {0}; int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd, PERF_FLAG_FD_OUTPUT); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0); This occurs when creating a group member event with the flag PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing the event triggers the warning. Since the event has copied the output_event in perf_event_set_output(), event->rb is set. As a result, perf_mmap_rb() calls refcount_inc(&event->mmap_count) when event->mmap_count = 0. Disallow the case when event->mmap_count = 0. This also prevents two events from updating the same user_page.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-14 | Updated 2026-02-14 | Assigner Linux

Product status

Default status
unaffected

448f97fba9013ffa13f5dd82febd18836b189499 (git) before 23c0e4bd93d0b250775162faf456470485ac9fc7
affected

448f97fba9013ffa13f5dd82febd18836b189499 (git) before d06bf78e55d5159c1b00072e606ab924ffbbad35
affected

Default status
affected

6.18
affected

Any version before 6.18
unaffected

6.18.8 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/23c0e4bd93d0b250775162faf456470485ac9fc7

git.kernel.org/...c/d06bf78e55d5159c1b00072e606ab924ffbbad35

cve.org (CVE-2026-23127)

nvd.nist.gov (CVE-2026-23127)

Download JSON