CVE-2025-40327
Description
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix system hang caused by cpu-clock usage
cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami:
18dbcbfabfff ("perf: Fix the POLL_HUP delivery breakage") causes this issue
The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer.
But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks.
To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag.
[ mingo: Fixed the comments and improved the changelog. ]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
cpu-clock event in Linux perf subsystem can cause a system hang due to recursive hrtimer cancellation from within a hrtimer handler.
Vulnerability
CVE-2025-40327 describes a deadlock in the Linux kernel's perf subsystem that can lead to a system hang. The issue occurs when the cpu-clock software event is used, for example by the async-profiler tool. The root cause is a recursive call into the hrtimer subsystem.
The hang was bisected to commit 18dbcbfabfff ("perf: Fix the POLL_HUP delivery breakage"). In the perf event overflow handler (__perf_event_overflow()), which runs from the hrtimer callback context for cpu-clock events, the kernel would call cpu_clock_event_stop(). This function in turn calls hrtimer_cancel(), which tries to synchronously cancel the very hrtimer that is currently running the callback. The attempted cancellation from within the timer's own context leads to a deadlock.
The fix replaces hrtimer_cancel() with hrtimer_try_to_cancel() and sets the PERF_HES_STOPPED flag. This allows the hrtimer to run to completion, and on the next callback invocation the event handler will see the stopped flag and properly stop the event without recursion [1].
Impact
A local attacker or unprivileged user running a profiling tool that uses cpu-clock events can trigger a system hang, resulting in a denial of service (DoS). No special privileges beyond access to the perf subsystem are required.
Mitigation
The patch has been merged into the Linux kernel stable tree. Users should apply the kernel update that includes commit eb3182ef0405 or update to a kernel version containing the fix [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
26b8c51281164eb3182ef0405Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.