CVE-2026-23127
Use-After-Free Warning in Linux Kernel perf mmap_count Refcount Increment
Publication date: 2026-02-14
Last updated on: 2026-03-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.18 (inc) to 6.18.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's perf subsystem. It occurs when the function perf_mmap_rb() calls refcount_inc(&event->mmap_count) while event->mmap_count is zero, triggering a refcount warning indicating a use-after-free condition.
Specifically, when creating a group member event with the flag PERF_FLAG_FD_OUTPUT, the group leader is mmap-ed first, and then mmap-ing the event triggers the warning. This happens because the event has copied the output_event, setting event->rb, which causes perf_mmap_rb() to increment event->mmap_count even though it is zero.
The issue is fixed by disallowing the case when event->mmap_count equals zero, preventing two events from updating the same user_page and avoiding the refcount warning.
How can this vulnerability impact me? :
This vulnerability can lead to a use-after-free condition in the Linux kernel's perf subsystem, which may cause instability or crashes in the kernel.
Because it involves incorrect reference counting on mmap_count, it could potentially allow memory corruption or unexpected behavior when handling performance events, especially when using group member events with PERF_FLAG_FD_OUTPUT.
Such kernel-level issues can impact system reliability and security, possibly leading to denial of service or other unintended side effects.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing the specific refcount warning triggered in the Linux kernel logs when the perf subsystem is used. The warning message to look for is:
- "refcount_t: addition on 0; use-after-free."
- "WARNING: lib/refcount.c:25"
To reproduce or detect this issue, you can run commands similar to the provided proof of concept (PoC) which involves using the perf_event_open syscall and mmap calls to create a group member event with the PERF_FLAG_FD_OUTPUT flag. Example commands (in C or via syscall wrappers) include:
- 1. Create a perf event with syscall __NR_perf_event_open.
- 2. Use mmap with PROT_READ | PROT_WRITE and MAP_SHARED on the returned file descriptor.
- 3. Create a group member event with PERF_FLAG_FD_OUTPUT flag referencing the first event.
- 4. mmap the group member event and check kernel logs for the refcount warning.
Monitoring kernel logs (e.g., via dmesg or journalctl) for the specific refcount warning is the primary detection method.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Linux kernel to a version where this vulnerability has been fixed. The fix disallows the case when event->mmap_count is zero before incrementing, preventing the use-after-free warning and related issues.
Until the kernel is updated, avoid creating perf event groups with the PERF_FLAG_FD_OUTPUT flag and performing mmap operations on group member events, as this triggers the vulnerability.