CVE-2026-23134
Unknown Unknown - Not Provided
Sleeping Lock Context Check Bypass in Linux Kernel PREEMPT_RT

Publication date: 2026-02-14

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() context check for PREEMPT_RT On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current check in kmalloc_nolock() only verifies we're not in NMI or hard IRQ context, but misses the case where preemption is disabled. When a BPF program runs from a tracepoint with preemption disabled (preempt_count > 0), kmalloc_nolock() proceeds to call local_lock_irqsave() which attempts to acquire a sleeping lock, triggering: BUG: sleeping function called from invalid context in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 6128 preempt_count: 2, expected: 0 Fix this by checking !preemptible() on PREEMPT_RT, which directly expresses the constraint that we cannot take a sleeping lock when preemption is disabled. This encompasses the previous checks for NMI and hard IRQ contexts while also catching cases where preemption is disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23134
EUVD
EUVD-2026-5903
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18 (inc) to 6.18.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's slab allocator, specifically in the kmalloc_nolock() function when running on PREEMPT_RT kernels. The issue is that kmalloc_nolock() checks if it is running in non-maskable interrupt (NMI) or hard IRQ context but fails to check if preemption is disabled. On PREEMPT_RT kernels, local_lock becomes a sleeping lock, which cannot be acquired when preemption is disabled.

When a BPF program runs from a tracepoint with preemption disabled (preempt_count > 0), kmalloc_nolock() calls local_lock_irqsave(), which tries to acquire a sleeping lock. This leads to a kernel bug where a sleeping function is called from an invalid context, causing a BUG message and potential kernel instability.

The fix involves adding a check for !preemptible() on PREEMPT_RT kernels to ensure that sleeping locks are not taken when preemption is disabled, covering all relevant contexts including NMI, hard IRQ, and disabled preemption.

Impact Analysis

This vulnerability can cause the Linux kernel to trigger a BUG due to a sleeping function being called from an invalid context. This can lead to kernel instability, crashes, or unexpected behavior when running BPF programs on PREEMPT_RT kernels with preemption disabled.

Such instability can affect system reliability and availability, potentially causing downtime or data loss depending on the environment where the kernel is deployed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as a BUG triggered by calling a sleeping function from an invalid context in the Linux kernel when running on PREEMPT_RT kernels.

Specifically, the kernel log may show messages similar to:

  • BUG: sleeping function called from invalid context
  • in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: <process_id>
  • preempt_count: > 0, expected: 0

To detect this issue, monitor your system logs (e.g., using dmesg or journalctl) for these BUG messages.

Example commands to check kernel logs for this issue include:

  • dmesg | grep 'BUG: sleeping function called from invalid context'
  • journalctl -k | grep 'BUG: sleeping function called from invalid context'
Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the kmalloc_nolock() context check properly accounts for PREEMPT_RT context by checking !preemptible().

Immediate mitigation steps include:

  • Update your Linux kernel to the latest version that includes the fix for this issue.
  • Avoid running BPF programs from tracepoints with preemption disabled until the fix is applied.
  • Monitor kernel logs for BUG messages indicating this issue to detect if the vulnerability is being triggered.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23134. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart