CVE-2026-23127
Unknown Unknown - Not Provided
Use-After-Free Warning in Linux Kernel perf mmap_count Refcount Increment

Publication date: 2026-02-14

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on event->mmap_count increment When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the following warning is triggered: refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 PoC: struct perf_event_attr attr = {0}; int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd, PERF_FLAG_FD_OUTPUT); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0); This occurs when creating a group member event with the flag PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing the event triggers the warning. Since the event has copied the output_event in perf_event_set_output(), event->rb is set. As a result, perf_mmap_rb() calls refcount_inc(&event->mmap_count) when event->mmap_count = 0. Disallow the case when event->mmap_count = 0. This also prevents two events from updating the same user_page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23127
EUVD
EUVD-2026-5908
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18 (inc) to 6.18.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's perf subsystem. It occurs when the function perf_mmap_rb() calls refcount_inc(&event->mmap_count) while event->mmap_count is zero, triggering a refcount warning indicating a use-after-free condition.

Specifically, when creating a group member event with the flag PERF_FLAG_FD_OUTPUT, the group leader is mmap-ed first, and then mmap-ing the event triggers the warning. This happens because the event has copied the output_event, setting event->rb, which causes perf_mmap_rb() to increment event->mmap_count even though it is zero.

The issue is fixed by disallowing the case when event->mmap_count equals zero, preventing two events from updating the same user_page and avoiding the refcount warning.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Linux kernel's perf subsystem, which may cause instability or crashes in the kernel.

Because it involves incorrect reference counting on mmap_count, it could potentially allow memory corruption or unexpected behavior when handling performance events, especially when using group member events with PERF_FLAG_FD_OUTPUT.

Such kernel-level issues can impact system reliability and security, possibly leading to denial of service or other unintended side effects.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing the specific refcount warning triggered in the Linux kernel logs when the perf subsystem is used. The warning message to look for is:

  • "refcount_t: addition on 0; use-after-free."
  • "WARNING: lib/refcount.c:25"

To reproduce or detect this issue, you can run commands similar to the provided proof of concept (PoC) which involves using the perf_event_open syscall and mmap calls to create a group member event with the PERF_FLAG_FD_OUTPUT flag. Example commands (in C or via syscall wrappers) include:

  • 1. Create a perf event with syscall __NR_perf_event_open.
  • 2. Use mmap with PROT_READ | PROT_WRITE and MAP_SHARED on the returned file descriptor.
  • 3. Create a group member event with PERF_FLAG_FD_OUTPUT flag referencing the first event.
  • 4. mmap the group member event and check kernel logs for the refcount warning.

Monitoring kernel logs (e.g., via dmesg or journalctl) for the specific refcount warning is the primary detection method.

Mitigation Strategies

The immediate mitigation step is to update the Linux kernel to a version where this vulnerability has been fixed. The fix disallows the case when event->mmap_count is zero before incrementing, preventing the use-after-free warning and related issues.

Until the kernel is updated, avoid creating perf event groups with the PERF_FLAG_FD_OUTPUT flag and performing mmap operations on group member events, as this triggers the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart