VYPR
← All advisories
High severity7.8NVD Advisory· Published Jan 28, 2026· Updated Apr 27, 2026

CVE-2026-23014

CVE-2026-23014

Description

In the Linux kernel, the following vulnerability has been resolved:

perf: Ensure swevent hrtimer is properly destroyed

With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed.

Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a use-after-free in perf swevent hrtimer can occur if the timer is not fully canceled before event free.

Vulnerability

CVE-2026-23014 is a use-after-free vulnerability in the Linux kernel's perf subsystem, specifically in the software event (swevent) hrtimer handling. The root cause is that perf_swevent_cancel_hrtimer() uses hrtimer_try_to_cancel(), which may not fully stop the hrtimer if it is already running. Consequently, the hrtimer can still be active when the associated perf event is freed, leading to a use-after-free condition [1].

Exploitation

To exploit this vulnerability, an attacker must be able to create and destroy perf events, typically requiring local access and the ability to invoke the perf_event_open system call. The attack surface is local, and no special privileges are needed beyond the ability to interact with the perf subsystem. The bug occurs during event destruction, making it a race condition that could be triggered by concurrent operations [2].

Impact

A successful exploit could allow an attacker with local access to escalate privileges or cause a denial of service (system crash) by corrupting kernel memory. The vulnerability is rated High with a CVSS score of 7.8, indicating significant impact on confidentiality, integrity, and availability.

Mitigation

The fix is implemented in the Linux kernel by adding a perf_event::destroy handler that performs a full hrtimer_cancel() to ensure the timer is completely stopped before the event is freed. Patched versions are available in stable kernel updates. Users should apply the latest kernel patches from their distribution.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • Linux/Kernel10 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.17.8,<6.18
    • cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.