{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23311", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:06.915Z", "dateUpdated": "2026-03-25T10:27:06.915Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:06.915Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix invalid wait context in ctx_sched_in()\n\nLockdep found a bug in the event scheduling when a pinned event was\nfailed and wakes up the threads in the ring buffer like below.\n\nIt seems it should not grab a wait-queue lock under perf-context lock.\nLet's do it with irq_work.\n\n [ 39.913691] =============================\n [ 39.914157] [ BUG: Invalid wait context ]\n [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted\n [ 39.915271] -----------------------------\n [ 39.915731] repro/837 is trying to lock:\n [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60\n [ 39.917182] other info that might help us debug this:\n [ 39.917761] context-{5:5}\n [ 39.918079] 4 locks held by repro/837:\n [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0\n [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0\n [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0\n [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "c67ab059953e3b66cb17ddd6524c23f9e1f6526d", "status": "affected", "versionType": "git"}, {"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "825f218ca70ef394c2b8546b313711d867b24584", "status": "affected", "versionType": "git"}, {"version": "f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6", "lessThan": "486ff5ad49bc50315bcaf6d45f04a33ef0a45ced", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/events/core.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c67ab059953e3b66cb17ddd6524c23f9e1f6526d"}, {"url": "https://git.kernel.org/stable/c/825f218ca70ef394c2b8546b313711d867b24584"}, {"url": "https://git.kernel.org/stable/c/486ff5ad49bc50315bcaf6d45f04a33ef0a45ced"}], "title": "perf/core: Fix invalid wait context in ctx_sched_in()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Fix invalid wait context in ctx_sched_in()\n\nLockdep found a bug in the event scheduling when a pinned event was\nfailed and wakes up the threads in the ring buffer like below.\n\nIt seems it should not grab a wait-queue lock under perf-context lock.\nLet's do it with irq_work.\n\n [ 39.913691] =============================\n [ 39.914157] [ BUG: Invalid wait context ]\n [ 39.914623] 6.15.0-next-20250530-next-2025053 #1 Not tainted\n [ 39.915271] -----------------------------\n [ 39.915731] repro/837 is trying to lock:\n [ 39.916191] ffff88801acfabd8 (&event->waitq){....}-{3:3}, at: __wake_up+0x26/0x60\n [ 39.917182] other info that might help us debug this:\n [ 39.917761] context-{5:5}\n [ 39.918079] 4 locks held by repro/837:\n [ 39.918530] #0: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: __perf_event_task_sched_in+0xd1/0xbc0\n [ 39.919612] #1: ffff88806ca3c6f8 (&cpuctx_lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1a7/0xbc0\n [ 39.920748] #2: ffff88800d91fc18 (&ctx->lock){....}-{2:2}, at: __perf_event_task_sched_in+0x1f9/0xbc0\n [ 39.921819] #3: ffffffff8725cd00 (rcu_read_lock){....}-{1:3}, at: perf_event_wakeup+0x6c/0x470"}], "id": "CVE-2026-23311", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:27.327", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/486ff5ad49bc50315bcaf6d45f04a33ef0a45ced"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/825f218ca70ef394c2b8546b313711d867b24584"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c67ab059953e3b66cb17ddd6524c23f9e1f6526d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: perf/core: Fix invalid wait context in ctx_sched_in()", "id": "2451208", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451208"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-413", "details": ["A flaw was found in the Linux kernel's perf/core component. This vulnerability occurs due to an invalid wait context during event scheduling, specifically when a pinned event fails and attempts to wake up threads in the ring buffer. An attacker could potentially exploit this to cause system instability or a denial of service (DoS) by triggering this specific event scheduling scenario. This issue is related to incorrect handling of wait-queue locks under perf-context locks."], "name": "CVE-2026-23311", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23311\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23311\nhttps://lore.kernel.org/linux-cve-announce/2026032529-CVE-2026-23311-8c0b@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,c67ab059953e3b66cb17ddd6524c23f9e1f6526d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,825f218ca70ef394c2b8546b313711d867b24584)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f4b07fd62d4d11d57a15cb4ae01b3833282eb8f6,486ff5ad49bc50315bcaf6d45f04a33ef0a45ced)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:49:32.224817+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes commit 486ff5ad49\u2026 or later; this patch is incorporated in the 6.15 series and newer stable releases. If a distribution update is unavailable, apply the upstream commit directly to the kernel source and rebuild the kernel. Ensure kernel lockdep is enabled in production builds to detect similar lock ordering bugs. Monitor system logs for the \"Invalid wait context\" message and investigate promptly if it appears."], "summary": {"action": "Apply Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The flaw is present in Linux kernel builds that have not yet applied the upstream patch identified by commit 486ff5ad49\u2026. The issue appears in the 6.15.0\u2011next-20250530 snapshot and earlier, meaning any kernel version before the successful integration of the commit is potentially affected. Exact supported distribution releases are not listed, so any Linux kernel not yet updated to include the fix is at risk.", "description_and_impact": "The Linux kernel bug occurs when a pinned perf event fails and the system attempts to wake threads while holding a lock that should not be protected by the perf context lock. This mismatched lock ordering triggers an invalid wait context, which results in a kernel panic and causes the system to become unavailable. The weakness is described by CWE\u2011362, CWE\u2011413, and CWE\u2011420, indicating a race condition, improper lock ordering, and an invalid wait context.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a moderate severity. The EPSS score is reported as less than 1\u202f%, indicating a low probability of exploitation. The vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that exploitation requires local interaction with perf events, implying that an attacker would need sufficient privileges to create or manipulate perf events on the host. No documented remote exploitation path exists, so the risk is confined to environments where a local attacker can trigger the scheduling path, leading to a denial of service."}}}}, "created": "2026-03-25T21:15:18.501156+00:00", "updated": "2026-03-26T12:16:46.026267+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}