CVE-2026-23159
MediumIn the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If it was non NULL, it was a user task and if not it was a kernel task. But things have changed over time, and some kernel tasks now have their own mm field. An idea was made to instead test PF_KTHREAD and two functions were used to wrap this check in case it became more complex to test if a task was a user task or not[1]. But this was rejected and the C code simply checked the PF_KTHREAD directly. It was later found that not all kernel threads set PF_KTHREAD. The io-uring helpers instead set PF_USER_WORKER and this needed to be added as well. But checking the flags is still not enough. There's a very small window when a task exits that it frees its mm field and it is set back to NULL. If perf were to trigger at this moment, the flags test would say its a user space task but when perf would read the mm field it would crash with at NULL pointer dereference. Now there are flags that can be used to test if a task is exiting, but they are set in areas that perf may still want to profile the user space task (to see where it exited). The only real test is to check both the flags and the mm field. Instead of making this modification in every location, create a new is_user_task() helper function that does all the tests needed to know if it is safe to read the user space memory or not. [1] https://lore.kernel.org/all/[email protected]/
CVSS 3.1 score
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weakness type
CWE-476CVE-2026-23159 is a NULL Pointer Dereference vulnerability
What is NULL Pointer Dereference?
The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. Learn more on MITRE CWE
Affected versions
Linux kernel versions
6.6.116,
6.12.57,
6.17.7,
6.18
and later are affected. Fixed in
6.6.123,
6.12.69,
6.18.9,
6.19
and their respective stable series.
References
The following references provide additional information about CVE-2026-23159 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
PatchKernel patch commithttps://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e
-
PatchKernel patch commithttps://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617
-
PatchKernel patch commithttps://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c
Frequently asked questions
-
What is CVE-2026-23159?
CVE-2026-23159 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as a NULL Pointer Dereference flaw (CWE-476) . It affects Linux kernel versions from 6.6.116 onward and has been patched in 6.6.123, 6.12.69, 6.18.9 and others. CVE-2026-23159 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
What is the CVSS score for CVE-2026-23159?
CVE-2026-23159 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. -
Is there a patch available for CVE-2026-23159?
Yes — CVE-2026-23159 has been patched. Fixed versions include 6.6.123, 6.12.69, 6.18.9 and others. If you are running Linux kernel 6.6.116 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-23159 actively exploited?
No — CVE-2026-23159 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
-
What is NULL Pointer Dereference (CWE-476)?
The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. View CWE-476 on MITRE CWE →