CVE-2026-23127 — Vulnetix

CVE-2026-23127 PUBLISHED CVSS 5.5 MEDIUM

In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on event->mmap_count increment When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the following warning is triggered: refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 PoC: struct perf_event_attr attr = {0}; int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd, PERF_FLAG_FD_OUTPUT); mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0); This occurs when creating a group member event with the flag PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing the event triggers the warning. Since the event has copied the output_event in perf_event_set_output(), event->rb is set. As a result, perf_mmap_rb() calls refcount_inc(&event->mmap_count) when event->mmap_count = 0. Disallow the case when event->mmap_count = 0. This also prevents two events from updating the same user_page.

EPSS 0.02% · 5.5th percentile

Risk Scores

CVSS 3.1

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.02%

5.5th percentile

Affected Products

Vendor	Product	Versions
Linux	Linux	448f97fba9013ffa13f5dd82febd18836b189499, 6.18, 6.18.8
linux	linux_kernel	6.19, 6.19, 6.19

Exploit Intelligence

CIRCL seen: CVE-2026-23127 (circl-sighting)
https://git.kernel.org/stable/c/23c0e4bd93d0b250775162faf456470485ac9fc7 (circl)
https://git.kernel.org/stable/c/d06bf78e55d5159c1b00072e606ab924ffbbad35 (circl)

Timeline

Feb 14, 2026 CVE Published
Feb 14, 2026 PoC Published
Feb 15, 2026 EPSS Score
Feb 17, 2026 EPSS Score
Feb 19, 2026 EPSS Score
Feb 21, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 22, 2026 Security Advisory
Feb 24, 2026 EPSS Score
Feb 26, 2026 EPSS Score
Feb 28, 2026 EPSS Score
Mar 2, 2026 EPSS Score

References

Open in Interactive Console →