CVE-2026-23435
Received Received - Intake
NULL Pointer Dereference in Linux Kernel perf Event Handling Causes Crash

Publication date: 2026-04-03

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86_pmu_enable() A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP: x86_perf_event_update+0xc/0xa0 Call Trace: <NMI> amd_pmu_v2_handle_irq+0x1a6/0x390 perf_event_nmi_handler+0x24/0x40 The faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0, corresponding to the `if (unlikely(!hwc->event_base))` check in x86_perf_event_update() where hwc = &event->hw and event is NULL. drgn inspection of the vmcore on CPU 106 showed a mismatch between cpuc->active_mask and cpuc->events[]: active_mask: 0x1e (bits 1, 2, 3, 4) events[1]: 0xff1100136cbd4f38 (valid) events[2]: 0x0 (NULL, but active_mask bit 2 set) events[3]: 0xff1100076fd2cf38 (valid) events[4]: 0xff1100079e990a90 (valid) The event that should occupy events[2] was found in event_list[2] with hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run (which clears hw.state and sets active_mask) but events[2] was never populated. Another event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH), showing it was stopped when the PMU rescheduled events, confirming the throttle-then-reschedule sequence occurred. The root cause is commit 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") which moved the cpuc->events[idx] assignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(), after the PERF_HES_ARCH check. This broke any path that calls pmu->start() without going through x86_pmu_enable() -- specifically the unthrottle path: perf_adjust_freq_unthr_events() -> perf_event_unthrottle_group() -> perf_event_unthrottle() -> event->pmu->start(event, 0) -> x86_pmu_start() // sets active_mask but not events[] The race sequence is: 1. A group of perf events overflows, triggering group throttle via perf_event_throttle_group(). All events are stopped: active_mask bits cleared, events[] preserved (x86_pmu_stop no longer clears events[] after commit 7e772a93eb61). 2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs due to other scheduling activity. Stopped events that need to move counters get PERF_HES_ARCH set and events[old_idx] cleared. In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events to be skipped -- events[new_idx] is never set. 3. The timer tick unthrottles the group via pmu->start(). Since commit 7e772a93eb61 removed the events[] assignment from x86_pmu_start(), active_mask[new_idx] is set but events[new_idx] remains NULL. 4. A PMC overflow NMI fires. The handler iterates active counters, finds active_mask[2] set, reads events[2] which is NULL, and crashes dereferencing it. Move the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to before the PERF_HES_ARCH check, so that events[] is populated even for events that are not immediately started. This ensures the unthrottle path via pmu->start() always finds a valid event pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23435
EUVD
EUVD-2026-18675
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.17.13 (inc) to 6.18 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 6.19
linux linux_kernel From 6.19.1 (inc) to 6.19.10 (exc)
linux linux_kernel From 6.18.2 (inc) to 6.18.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a NULL pointer dereference in the Linux kernel's perf subsystem, specifically in the PMU NMI handler, which can cause a system crash.

Detection would involve monitoring for kernel crash logs or oops messages indicating a NULL pointer dereference at the function x86_perf_event_update, with call traces involving amd_pmu_v2_handle_irq and perf_event_nmi_handler.

Specifically, look for kernel messages similar to: 'BUG: kernel NULL pointer dereference, address: 0000000000000198' and call traces showing the faulting instruction 'cmpq $0x0, 0x198(%rdi)' with RDI=0.

Since this is a kernel-level issue related to AMD EPYC systems using perf events, commands to check kernel logs such as 'dmesg' or 'journalctl -k' can be used to detect such crashes.

Example commands to detect this issue include:

  • dmesg | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'x86_perf_event_update'
  • journalctl -k | grep -i 'amd_pmu_v2_handle_irq'
  • Check for system crashes or reboots correlated with perf event activity on AMD EPYC systems.

Additionally, analyzing vmcore dumps with debugging tools like drgn to inspect cpuc->active_mask and cpuc->events[] arrays may help confirm the presence of the mismatch described in the vulnerability.


Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's performance monitoring unit (PMU) code for x86 processors, specifically affecting AMD EPYC systems.

The issue arises because the kernel code moved the assignment of event pointers (cpuc->events[]) to a later step in the x86_pmu_enable() function, after a check that can cause some events to be skipped. This means that when the PMU unthrottle path calls pmu->start() without going through x86_pmu_enable(), the events[] array is not properly populated.

As a result, when a performance monitoring counter (PMC) overflow triggers a non-maskable interrupt (NMI), the handler tries to access an event pointer that is NULL, causing the kernel to crash with a NULL pointer dereference.

The root cause was a code change that moved the event pointer setup out of x86_pmu_start() and into a later step of x86_pmu_enable(), breaking the unthrottle path that calls pmu->start() directly.

The fix involved moving the assignment of the event pointer back to before the check that skips events, ensuring that even events not immediately started have valid pointers.


How can this vulnerability impact me? :

This vulnerability can cause a production AMD EPYC system running the affected Linux kernel to crash unexpectedly due to a kernel NULL pointer dereference.

Such crashes can lead to system downtime, loss of data in memory, and interruption of critical services.

Because the crash occurs in the PMU NMI handler during performance monitoring, it may be triggered by workloads that heavily use performance counters or profiling tools.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a NULL pointer dereference in the Linux kernel's perf subsystem related to PMU event handling on x86 systems, specifically AMD EPYC.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix which moves the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to before the PERF_HES_ARCH check. This ensures that the events[] array is properly populated and prevents the NULL pointer dereference.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart