{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23114","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.968Z","datePublished":"2026-02-14T15:09:47.048Z","dateUpdated":"2026-05-11T22:00:23.756Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:00:23.756Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: ptrace: Fix SVE writes on !SME systems\n\nWhen SVE is supported but SME is not supported, a ptrace write to the\nNT_ARM_SVE regset can place the tracee into an invalid state where\n(non-streaming) SVE register data is stored in FP_STATE_SVE format but\nTIF_SVE is clear. This can result in a later warning from\nfpsimd_restore_current_state(), e.g.\n\n  WARNING: CPU: 0 PID: 7214 at arch/arm64/kernel/fpsimd.c:383 fpsimd_restore_current_state+0x50c/0x748\n\nWhen this happens, fpsimd_restore_current_state() will set TIF_SVE,\nplacing the task into the correct state. This occurs before any other\ncheck of TIF_SVE can possibly occur, as other checks of TIF_SVE only\nhappen while the FPSIMD/SVE/SME state is live. Thus, aside from the\nwarning, there is no functional issue.\n\nThis bug was introduced during rework to error handling in commit:\n\n  9f8bf718f2923 (\"arm64/fpsimd: ptrace: Gracefully handle errors\")\n\n... where the setting of TIF_SVE was moved into a block which is only\nexecuted when system_supports_sme() is true.\n\nFix this by removing the system_supports_sme() check. This ensures that\nTIF_SVE is set for (SVE-formatted) writes to NT_ARM_SVE, at the cost of\nunconditionally manipulating the tracee's saved svcr value. The\nmanipulation of svcr is benign and inexpensive, and we already do\nsimilar elsewhere (e.g. during signal handling), so I don't think it's\nworth guarding this with system_supports_sme() checks.\n\nAside from the above, there is no functional change. The 'type' argument\nto sve_set_common() is only set to ARM64_VEC_SME (in ssve_set())) when\nsystem_supports_sme(), so the ARM64_VEC_SME case in the switch statement\nis still unreachable when !system_supports_sme(). When\nCONFIG_ARM64_SME=n, the only caller of sve_set_common() is sve_set(),\nand the compiler can constant-fold for the case where type is\nARM64_VEC_SVE, removing the logic for other cases."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/ptrace.c"],"versions":[{"version":"9f8bf718f29230e38a048d08fc3063e316cd60c1","lessThan":"4f39984176e7edcaba3432b6c649c6fe93bf2f80","status":"affected","versionType":"git"},{"version":"9f8bf718f29230e38a048d08fc3063e316cd60c1","lessThan":"128a7494a9f15aad60cc6b7e3546bf481ac54a13","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/ptrace.c"],"versions":[{"version":"6.16","status":"affected"},{"version":"0","lessThan":"6.16","status":"unaffected","versionType":"semver"},{"version":"6.18.8","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.18.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4f39984176e7edcaba3432b6c649c6fe93bf2f80"},{"url":"https://git.kernel.org/stable/c/128a7494a9f15aad60cc6b7e3546bf481ac54a13"}],"title":"arm64/fpsimd: ptrace: Fix SVE writes on !SME systems","x_generator":{"engine":"bippy-1.2.0"}}}}