CVE-2026-23309
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux Kernel Tracing Component

Publication date: 2026-03-25

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23309
EUVD
EUVD-2026-15251
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19.4 (inc) to 6.19.7 (exc)
linux linux_kernel From 6.1.165 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.6.128 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.12.75 (inc) to 6.12.77 (exc)
linux linux_kernel From 6.18.14 (inc) to 6.18.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's tracing subsystem. Specifically, when the function trigger_data_alloc() fails and returns NULL, the code jumps to an error handling path that calls trigger_data_free(). However, trigger_data_free() does not check if its input pointer is NULL before dereferencing it, leading to a NULL pointer dereference when it tries to access data->cmd_ops->set_filter.

The issue is fixed by adding a NULL pointer check in trigger_data_free() to prevent dereferencing a NULL pointer.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which may lead to a kernel crash or system instability. Such a crash could result in denial of service (DoS) conditions, affecting system availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart