HOMEVULNERABILITIESCVE-2026-23127
NONEPOC

CVE-2026-23127

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

perf: Fix refcount warning on event->mmap_count increment

When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the

following warning is triggered:

refcount_t: addition on 0; use-after-free.

WARNING: lib/refcount.c:25

PoC:

struct perf_event_attr attr = {0};

int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0);

mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd,

PERF_FLAG_FD_OUTPUT);

mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);

This occurs when creating a group member event with the flag

PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing

the event triggers the warning.

Since the event has copied the output_event in perf_event_set_output(),

event->rb is set. As a result, perf_mmap_rb() calls

refcount_inc(&event->mmap_count) when event->mmap_count = 0.

Disallow the case when event->mmap_count = 0. This also prevents two

events from updating the same user_page.

NVD Source

Technical Analysis

CVE-2026-23127 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A proof-of-concept (PoC) exploit exists for CVE-2026-23127. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

POC AVAILABLEProof-of-concept code exists
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23127
SeverityNONE
CISA KEVNo
ExploitPOC
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23127 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.