High

Linux kernel perf __perf_event_overflow() race condition

IdentifiersCVE-2026-23271CWE-362· Concurrent Execution using Shared…

CVE-2026-23271 is a race condition in the Linux kernel perf subsystem. According to the provided description, __perf_event_overflow() was not guaranteed to run with IRQs disabled on all possible call paths; in particular, software events could invoke it with only preemption disabled. This created a race window against perf_remove_from_context(), perf_event_exit_event(), and related teardown paths, which could free objects that the overflow handling path still expected to be valid, including associated BPF program state. The issue was resolved by ensuring __perf_event_overflow() executes with IRQs disabled for all relevant call chains.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation of this race condition could lead to a use-after-free style memory safety failure in kernel context during perf event overflow handling. Depending on timing and reachable freed objects, impact could include kernel crashes or other undefined behavior. Because the affected code path references freed kernel objects such as BPF program state, the vulnerability may also present a path toward more serious kernel memory corruption outcomes, but the provided content does not establish a specific demonstrated privilege-escalation or code-execution result.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels can be deployed, reduce exposure by restricting access to perf events and related profiling capabilities to trusted users only, and disable or tightly control unprivileged perf usage where supported by system policy. Minimizing access to perf/BPF-related functionality may reduce exploitability, but no complete mitigation is provided in the supplied content short of applying the kernel fix.

Remediation

Patch, then assume compromise.

Apply the upstream Linux kernel fix for CVE-2026-23271 that ensures __perf_event_overflow() runs with IRQs disabled across all possible call chains, including software event paths. Use a kernel release that contains the perf subsystem patch addressing the __perf_event_overflow() versus perf_remove_from_context()/perf_event_exit_event() race.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

google security research pull requestsNews

May 6, 2026

Add kernelCTF CVE-2026-23271_lts by simond67 · Pull Request #379 · google/security-research · GitHub

A specific vulnerability identified as CVE-2026-23271 is referenced in the context of kernelCTF and exploit-related repository changes, suggesting exploit development or maintenance activity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23271

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23271

MITRE CWE · CWE-362

Concurrent Execution using Shared Resource…

Patch

git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12

Patch

git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0

Patch

git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef

Patch

git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87

Patch

git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e

Patch

git.kernel.org/stable/c/c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae