CVE-2026-23159 (GCVE-0-2026-23159)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
Title
perf: sched: Fix perf crash with new is_user_task() helper
Summary
In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If it was non NULL, it was a user task and if not it was a kernel task. But things have changed over time, and some kernel tasks now have their own mm field. An idea was made to instead test PF_KTHREAD and two functions were used to wrap this check in case it became more complex to test if a task was a user task or not[1]. But this was rejected and the C code simply checked the PF_KTHREAD directly. It was later found that not all kernel threads set PF_KTHREAD. The io-uring helpers instead set PF_USER_WORKER and this needed to be added as well. But checking the flags is still not enough. There's a very small window when a task exits that it frees its mm field and it is set back to NULL. If perf were to trigger at this moment, the flags test would say its a user space task but when perf would read the mm field it would crash with at NULL pointer dereference. Now there are flags that can be used to test if a task is exiting, but they are set in areas that perf may still want to profile the user space task (to see where it exited). The only real test is to check both the flags and the mm field. Instead of making this modification in every location, create a new is_user_task() helper function that does all the tests needed to know if it is safe to read the user space memory or not. [1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 34b5aba8511a12fb2e9bd3124835cb4087187dac , < d84a4836dc246b7dc244e46a08ff992956b68db0 (git)
Affected: 8d79f96e477c4b8e3fca2efb36b269d8960a2285 , < 5aac392fcd3d981d7997f1a0766829e1afdeac2e (git)
Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c (git)
Affected: 90942f9fac05702065ff82ed0bade0d08168d4ea , < 76ed27608f7dd235b727ebbb12163438c2fbb617 (git)
Affected: 5050083e1a2f3e5e29cee0205c40e5864b52601d (git)
Create a notification for this product.
    Linux Linux Affected: 6.18
Unaffected: 0 , < 6.18 (semver)
Unaffected: 6.6.123 , ≤ 6.6.* (semver)
Unaffected: 6.12.69 , ≤ 6.12.* (semver)
Unaffected: 6.18.9 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sched.h",
            "kernel/events/callchain.c",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d84a4836dc246b7dc244e46a08ff992956b68db0",
              "status": "affected",
              "version": "34b5aba8511a12fb2e9bd3124835cb4087187dac",
              "versionType": "git"
            },
            {
              "lessThan": "5aac392fcd3d981d7997f1a0766829e1afdeac2e",
              "status": "affected",
              "version": "8d79f96e477c4b8e3fca2efb36b269d8960a2285",
              "versionType": "git"
            },
            {
              "lessThan": "a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c",
              "status": "affected",
              "version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
              "versionType": "git"
            },
            {
              "lessThan": "76ed27608f7dd235b727ebbb12163438c2fbb617",
              "status": "affected",
              "version": "90942f9fac05702065ff82ed0bade0d08168d4ea",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5050083e1a2f3e5e29cee0205c40e5864b52601d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sched.h",
            "kernel/events/callchain.c",
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.18"
            },
            {
              "lessThan": "6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "6.6.116",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.69",
                  "versionStartIncluding": "6.12.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.9",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.17.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There\u0027s a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T16:01:25.229Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617"
        }
      ],
      "title": "perf: sched: Fix perf crash with new is_user_task() helper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23159",
    "datePublished": "2026-02-14T16:01:25.229Z",
    "dateReserved": "2026-01-13T15:37:45.979Z",
    "dateUpdated": "2026-02-14T16:01:25.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23159\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T16:15:56.070\",\"lastModified\":\"2026-02-14T16:15:56.070\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nperf: sched: Fix perf crash with new is_user_task() helper\\n\\nIn order to do a user space stacktrace the current task needs to be a user\\ntask that has executed in user space. It use to be possible to test if a\\ntask is a user task or not by simply checking the task_struct mm field. If\\nit was non NULL, it was a user task and if not it was a kernel task.\\n\\nBut things have changed over time, and some kernel tasks now have their\\nown mm field.\\n\\nAn idea was made to instead test PF_KTHREAD and two functions were used to\\nwrap this check in case it became more complex to test if a task was a\\nuser task or not[1]. But this was rejected and the C code simply checked\\nthe PF_KTHREAD directly.\\n\\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\\n\\nBut checking the flags is still not enough. There\u0027s a very small window\\nwhen a task exits that it frees its mm field and it is set back to NULL.\\nIf perf were to trigger at this moment, the flags test would say its a\\nuser space task but when perf would read the mm field it would crash with\\nat NULL pointer dereference.\\n\\nNow there are flags that can be used to test if a task is exiting, but\\nthey are set in areas that perf may still want to profile the user space\\ntask (to see where it exited). The only real test is to check both the\\nflags and the mm field.\\n\\nInstead of making this modification in every location, create a new\\nis_user_task() helper function that does all the tests needed to know if\\nit is safe to read the user space memory or not.\\n\\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.