CVE-2026-23107
Unknown Unknown - Not Provided
Null Pointer Dereference in Linux arm64 fpsimd ZA Context Restore

Publication date: 2026-02-04

Last updated on: 2026-03-19

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23107
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.2 (inc) to 6.6.122 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.8 (exc)
linux linux_kernel 6.19
linux linux_kernel From 5.19 (inc) to 6.1.162 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's arm64/fpsimd signal handling code related to the SSVE (Scalable Vector Extension) storage allocation when restoring the ZA (SVE/SSVE register state). The issue occurs because the code does not allocate the task's sve_state before setting the TIF_SME flag. This can cause a task to enter an invalid state where TIF_SME is set but sve_state is NULL.

In uncommon cases, such as when a task is saved and restored using tools like CRIU, the ZA signal context may not have been created by the kernel for the same task, so sve_state might not have been allocated. This allows userspace to enter streaming mode without trapping, even though sve_state is NULL, which leads to a NULL pointer dereference in the kernel when it tries to store the register state, causing a kernel crash (Oops).

The fix ensures that restore_za_context() allocates the task's sve_state properly, preserving any live SVE/SSVE state restored earlier, preventing the invalid state and subsequent kernel crash.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference leading to a kernel crash (Oops) on affected Linux systems running on arm64 architecture with SSVE support. This crash can result in denial of service by making the system unstable or unresponsive.

In scenarios where tasks are checkpointed and restored (e.g., using CRIU), this vulnerability could be triggered, potentially disrupting normal system operation and causing unexpected reboots or downtime.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel NULL pointer dereference related to the arm64/fpsimd signal handling when restoring ZA context. Detection involves observing kernel logs for specific error messages or oops traces indicating a NULL pointer dereference in sve_save_state or fpsimd_save_user_state functions.

You can check your system logs (e.g., using dmesg or journalctl) for kernel oops messages similar to the following pattern:

  • dmesg | grep -i 'Unable to handle kernel NULL pointer dereference'
  • journalctl -k | grep -i 'Oops: 0000000096000046'

Additionally, monitoring for crashes or faults related to fpsimd or sve_save_state in kernel logs can help detect this issue.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that the task's sve_state is properly allocated when restoring the ZA context in the Linux kernel. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

Until the kernel is updated, avoid using or restoring ZA signal contexts in ways that could trigger this issue, such as using checkpoint/restore tools like CRIU that save and restore tasks with ZA contexts.

Monitoring kernel updates and applying patches promptly is the recommended course of action.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart