{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23088","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.961Z","datePublished":"2026-02-04T16:08:11.717Z","dateUpdated":"2026-05-11T21:59:46.093Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:59:46.093Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix crash on synthetic stacktrace field usage\n\nWhen creating a synthetic event based on an existing synthetic event that\nhad a stacktrace field and the new synthetic event used that field a\nkernel crash occurred:\n\n ~# cd /sys/kernel/tracing\n ~# echo 's:stack unsigned long stack[];' > dynamic_events\n ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger\n ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' >> events/sched/sched_switch/trigger\n\nThe above creates a synthetic event that takes a stacktrace when a task\nschedules out in a non-running state and passes that stacktrace to the\nsched_switch event when that task schedules back in. It triggers the\n\"stack\" synthetic event that has a stacktrace as its field (called \"stack\").\n\n ~# echo 's:syscall_stack s64 id; unsigned long stack[];' >> dynamic_events\n ~# echo 'hist:keys=common_pid:s2=stack' >> events/synthetic/stack/trigger\n ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' >> events/raw_syscalls/sys_exit/trigger\n\nThe above makes another synthetic event called \"syscall_stack\" that\nattaches the first synthetic event (stack) to the sys_exit trace event and\nrecords the stacktrace from the stack event with the id of the system call\nthat is exiting.\n\nWhen enabling this event (or using it in a historgram):\n\n ~# echo 1 > events/synthetic/syscall_stack/enable\n\nProduces a kernel crash!\n\n BUG: unable to handle page fault for address: 0000000000400010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy)  Debian 6.16.3-1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:trace_event_raw_event_synth+0x90/0x380\n Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f\n RSP: 0018:ffffd2670388f958 EFLAGS: 00010202\n RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0\n RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50\n R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010\n R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90\n FS:  00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  ? __tracing_map_insert+0x208/0x3a0\n  action_trace+0x67/0x70\n  event_hist_trigger+0x633/0x6d0\n  event_triggers_call+0x82/0x130\n  trace_event_buffer_commit+0x19d/0x250\n  trace_event_raw_event_sys_exit+0x62/0xb0\n  syscall_exit_work+0x9d/0x140\n  do_syscall_64+0x20a/0x2f0\n  ? trace_event_raw_event_sched_switch+0x12b/0x170\n  ? save_fpregs_to_fpstate+0x3e/0x90\n  ? _raw_spin_unlock+0xe/0x30\n  ? finish_task_switch.isra.0+0x97/0x2c0\n  ? __rseq_handle_notify_resume+0xad/0x4c0\n  ? __schedule+0x4b8/0xd00\n  ? restore_fpregs_from_fpstate+0x3c/0x90\n  ? switch_fpu_return+0x5b/0xe0\n  ? do_syscall_64+0x1ef/0x2f0\n  ? do_fault+0x2e9/0x540\n  ? __handle_mm_fault+0x7d1/0xf70\n  ? count_memcg_events+0x167/0x1d0\n  ? handle_mm_fault+0x1d7/0x2e0\n  ? do_user_addr_fault+0x2c3/0x7f0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reason is that the stacktrace field is not labeled as such, and is\ntreated as a normal field and not as a dynamic event that it is.\n\nIn trace_event_raw_event_synth() the event is field is still treated as a\ndynamic array, but the retrieval of the data is considered a normal field,\nand the reference is just the meta data:\n\n// Meta data is retrieved instead of a dynamic array\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace_events_hist.c","kernel/trace/trace_events_synth.c"],"versions":[{"version":"00cf3d672a9dd409418647e9f98784c339c3ff63","lessThan":"98ecbfb2598c9c7ca755a29f402da9d36c057077","status":"affected","versionType":"git"},{"version":"00cf3d672a9dd409418647e9f98784c339c3ff63","lessThan":"327af07dff6ab5650b21491eb4f69694999ff3d1","status":"affected","versionType":"git"},{"version":"00cf3d672a9dd409418647e9f98784c339c3ff63","lessThan":"3b90d099efa2b67239bd3b3dc3521ec584261748","status":"affected","versionType":"git"},{"version":"00cf3d672a9dd409418647e9f98784c339c3ff63","lessThan":"90f9f5d64cae4e72defd96a2a22760173cb3c9ec","status":"affected","versionType":"git"},{"version":"b9453380c1c542fd095a4dbe9251eeba4022bbce","status":"affected","versionType":"git"},{"version":"5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55","status":"affected","versionType":"git"},{"version":"f3baa42afeea0d5f04ad31525e861199d02210cc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/trace/trace_events_hist.c","kernel/trace/trace_events_synth.c"],"versions":[{"version":"6.3","status":"affected"},{"version":"0","lessThan":"6.3","status":"unaffected","versionType":"semver"},{"version":"6.6.122","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.68","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.8","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.6.122"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.12.68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.18.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.124"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.43"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077"},{"url":"https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1"},{"url":"https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748"},{"url":"https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec"}],"title":"tracing: Fix crash on synthetic stacktrace field usage","x_generator":{"engine":"bippy-1.2.0"}}}}