{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-02T19:11:44.171","vulnerabilities":[{"cve":{"id":"CVE-2026-23127","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-02-14T15:16:07.963","lastModified":"2026-03-18T14:49:58.400","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix refcount warning on event->mmap_count increment\n\nWhen calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the\nfollowing warning is triggered:\n\n        refcount_t: addition on 0; use-after-free.\n        WARNING: lib/refcount.c:25\n\nPoC:\n\n    struct perf_event_attr attr = {0};\n    int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n    mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n    int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n                         PERF_FLAG_FD_OUTPUT);\n    mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nThis occurs when creating a group member event with the flag\nPERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing\nthe event triggers the warning.\n\nSince the event has copied the output_event in perf_event_set_output(),\nevent->rb is set. As a result, perf_mmap_rb() calls\nrefcount_inc(&event->mmap_count) when event->mmap_count = 0.\n\nDisallow the case when event->mmap_count = 0. This also prevents two\nevents from updating the same user_page."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nperf: Corrección de la advertencia de refcount en el incremento de event->mmap_count\n\nAl llamar a refcount_inc(&event->mmap_count) dentro de perf_mmap_rb(), se activa la siguiente advertencia:\n\n        refcount_t: adición en 0; uso después de liberación.\n        ADVERTENCIA: lib/refcount.c:25\n\nPoC:\n\n    struct perf_event_attr attr = {0};\n    int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);\n    mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n    int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,\n                         PERF_FLAG_FD_OUTPUT);\n    mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);\n\nEsto ocurre al crear un evento miembro de grupo con la bandera PERF_FLAG_FD_OUTPUT. El líder del grupo debe ser mapeado con mmap y luego mapear el evento con mmap activa la advertencia.\n\nDado que el evento ha copiado el output_event en perf_event_set_output(), event->rb está establecido. Como resultado, perf_mmap_rb() llama a refcount_inc(&event->mmap_count) cuando event->mmap_count = 0.\n\nNo permitir el caso cuando event->mmap_count = 0. Esto también evita que dos eventos actualicen la misma user_page."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18","versionEndExcluding":"6.18.8","matchCriteriaId":"7B26C1E1-97A9-48B8-81C6-B6A3A0FC6C7E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/23c0e4bd93d0b250775162faf456470485ac9fc7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d06bf78e55d5159c1b00072e606ab924ffbbad35","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}