CVE-2026-23159

{"id": "CVE-2026-23159", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-02-14T16:15:56.070", "references": [{"url": "https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There's a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nperf: sched: Soluciona el fallo de perf con la nueva funci\u00f3n auxiliar is_user_task()\n\nPara realizar un seguimiento de pila (stacktrace) del espacio de usuario, la tarea actual debe ser una tarea de usuario que se haya ejecutado en el espacio de usuario. Sol\u00eda ser posible comprobar si una tarea es una tarea de usuario o no simplemente verificando el campo mm de task_struct. Si no era NULL, era una tarea de usuario y si no, era una tarea del kernel.\n\nPero las cosas han cambiado con el tiempo, y algunas tareas del kernel ahora tienen su propio campo mm.\n\nSe propuso la idea de probar PF_KTHREAD en su lugar y se utilizaron dos funciones para encapsular esta verificaci\u00f3n en caso de que se volviera m\u00e1s complejo probar si una tarea era una tarea de usuario o no[1]. Pero esto fue rechazado y el c\u00f3digo C simplemente verific\u00f3 PF_KTHREAD directamente.\n\nM\u00e1s tarde se descubri\u00f3 que no todos los hilos del kernel establecen PF_KTHREAD. Los auxiliares de io-uring, en cambio, establecen PF_USER_WORKER y esto tambi\u00e9n necesitaba ser a\u00f1adido.\n\nPero verificar las banderas (flags) todav\u00eda no es suficiente. Hay una ventana muy peque\u00f1a cuando una tarea sale en la que libera su campo mm y este se vuelve a establecer en NULL. Si perf se activara en este momento, la prueba de las banderas dir\u00eda que es una tarea del espacio de usuario, pero cuando perf leyera el campo mm, fallar\u00eda con una desreferencia de puntero NULL.\n\nAhora hay banderas que se pueden usar para probar si una tarea est\u00e1 saliendo, pero se establecen en \u00e1reas que perf a\u00fan podr\u00eda querer perfilar en la tarea del espacio de usuario (para ver d\u00f3nde sali\u00f3). La \u00fanica prueba real es verificar tanto las banderas como el campo mm.\n\nEn lugar de realizar esta modificaci\u00f3n en cada ubicaci\u00f3n, cree una nueva funci\u00f3n auxiliar is_user_task() que realice todas las pruebas necesarias para saber si es seguro leer la memoria del espacio de usuario o no.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/"}], "lastModified": "2026-03-18T14:13:18.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7B0307B-B830-41F5-A46B-78B12251F41C", "versionEndExcluding": "6.6.123", "versionStartIncluding": "6.6.116"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "571DBB6B-9F41-4903-BA8D-1097EC4629E1", "versionEndExcluding": "6.12.69", "versionStartIncluding": "6.12.57"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D53B981-624A-4600-B8E0-DA90B41D49CE", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.17.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}