CVE-2026-23115 (GCVE-0-2026-23115)

Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
Title
serial: Fix not set tty->port race condition
Summary
In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port race condition Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open console without TTY linked to the driver. This tty_port_link_device() was added explicitly to avoid this exact issue in commit fb2b90014d78 ("tty: link tty and port before configuring it as console"), so offending commit basically reverted the fix saying it is redundant without addressing the actual race condition presented there. Reproducible always as tty->port warning on Qualcomm SoC with most of devices disabled, so with very fast boot, and one serial device being the console: printk: legacy console [ttyMSM0] enabled printk: legacy console [ttyMSM0] enabled printk: legacy bootconsole [qcom_geni0] disabled printk: legacy bootconsole [qcom_geni0] disabled ------------[ cut here ]------------ tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver! WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1 Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6 CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Qualcomm Technologies, Inc. Eliza (DT) ... tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P) tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3)) chrdev_open (fs/char_dev.c:411) do_dentry_open (fs/open.c:962) vfs_open (fs/open.c:1094) do_open (fs/namei.c:4634) path_openat (fs/namei.c:4793) do_filp_open (fs/namei.c:4820) do_sys_openat2 (fs/open.c:1391 (discriminator 3)) ... Starting Network Name Resolution... Apparently the flow with this small Yocto-based ramdisk user-space is: driver (qcom_geni_serial.c): user-space: ============================ =========== qcom_geni_serial_probe() uart_add_one_port() serial_core_register_port() serial_core_add_one_port() uart_configure_port() register_console() | | open console | ... | tty_init_dev() | driver->ports[idx] is NULL | tty_port_register_device_attr_serdev() tty_port_link_device() <- set driver->ports[idx]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: bfc467db60b76c30ca1f7f02088a219b6d5b6e8c , < 2501c49306238b54a2de0f93de43d50ab6e76c84 (git)
Affected: bfc467db60b76c30ca1f7f02088a219b6d5b6e8c , < 32f37e57583f869140cff445feedeea8a5fea986 (git)
Create a notification for this product.
    Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/serial_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2501c49306238b54a2de0f93de43d50ab6e76c84",
              "status": "affected",
              "version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c",
              "versionType": "git"
            },
            {
              "lessThan": "32f37e57583f869140cff445feedeea8a5fea986",
              "status": "affected",
              "version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/serial_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty-\u003eport race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty-\u003eport has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty-\u003eport warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n  printk: legacy console [ttyMSM0] enabled\n  printk: legacy console [ttyMSM0] enabled\n  printk: legacy bootconsole [qcom_geni0] disabled\n  printk: legacy bootconsole [qcom_geni0] disabled\n  ------------[ cut here ]------------\n  tty_init_dev: ttyMSM driver does not set tty-\u003eport. This would crash the kernel. Fix the driver!\n  WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n  Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n  CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S                  6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n  Tainted: [S]=CPU_OUT_OF_SPEC\n  Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n  ...\n  tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n  tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n  chrdev_open (fs/char_dev.c:411)\n  do_dentry_open (fs/open.c:962)\n  vfs_open (fs/open.c:1094)\n  do_open (fs/namei.c:4634)\n  path_openat (fs/namei.c:4793)\n  do_filp_open (fs/namei.c:4820)\n  do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n  ...\n  Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c):                  user-space:\n============================                  ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n  serial_core_register_port()\n   serial_core_add_one_port()\n    uart_configure_port()\n     register_console()\n    |\n    |                                         open console\n    |                                          ...\n    |                                          tty_init_dev()\n    |                                           driver-\u003eports[idx] is NULL\n    |\n    tty_port_register_device_attr_serdev()\n     tty_port_link_device() \u003c- set driver-\u003eports[idx]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T15:09:47.826Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84"
        },
        {
          "url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986"
        }
      ],
      "title": "serial: Fix not set tty-\u003eport race condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23115",
    "datePublished": "2026-02-14T15:09:47.826Z",
    "dateReserved": "2026-01-13T15:37:45.969Z",
    "dateUpdated": "2026-02-14T15:09:47.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23115\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T15:16:06.607\",\"lastModified\":\"2026-02-14T15:16:06.607\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: Fix not set tty-\u003eport race condition\\n\\nRevert commit bfc467db60b7 (\\\"serial: remove redundant\\ntty_port_link_device()\\\") because the tty_port_link_device() is not\\nredundant: the tty-\u003eport has to be confured before we call\\nuart_configure_port(), otherwise user-space can open console without TTY\\nlinked to the driver.\\n\\nThis tty_port_link_device() was added explicitly to avoid this exact\\nissue in commit fb2b90014d78 (\\\"tty: link tty and port before configuring\\nit as console\\\"), so offending commit basically reverted the fix saying\\nit is redundant without addressing the actual race condition presented\\nthere.\\n\\nReproducible always as tty-\u003eport warning on Qualcomm SoC with most of\\ndevices disabled, so with very fast boot, and one serial device being\\nthe console:\\n\\n  printk: legacy console [ttyMSM0] enabled\\n  printk: legacy console [ttyMSM0] enabled\\n  printk: legacy bootconsole [qcom_geni0] disabled\\n  printk: legacy bootconsole [qcom_geni0] disabled\\n  ------------[ cut here ]------------\\n  tty_init_dev: ttyMSM driver does not set tty-\u003eport. This would crash the kernel. Fix the driver!\\n  WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\\n  Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\\n  CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S                  6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\\n  Tainted: [S]=CPU_OUT_OF_SPEC\\n  Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\\n  ...\\n  tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\\n  tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\\n  chrdev_open (fs/char_dev.c:411)\\n  do_dentry_open (fs/open.c:962)\\n  vfs_open (fs/open.c:1094)\\n  do_open (fs/namei.c:4634)\\n  path_openat (fs/namei.c:4793)\\n  do_filp_open (fs/namei.c:4820)\\n  do_sys_openat2 (fs/open.c:1391 (discriminator 3))\\n  ...\\n  Starting Network Name Resolution...\\n\\nApparently the flow with this small Yocto-based ramdisk user-space is:\\n\\ndriver (qcom_geni_serial.c):                  user-space:\\n============================                  ===========\\nqcom_geni_serial_probe()\\n uart_add_one_port()\\n  serial_core_register_port()\\n   serial_core_add_one_port()\\n    uart_configure_port()\\n     register_console()\\n    |\\n    |                                         open console\\n    |                                          ...\\n    |                                          tty_init_dev()\\n    |                                           driver-\u003eports[idx] is NULL\\n    |\\n    tty_port_register_device_attr_serdev()\\n     tty_port_link_device() \u003c- set driver-\u003eports[idx]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.