HOMEVULNERABILITIESCVE-2026-23159
NONE

CVE-2026-23159

Published: February 14, 2026· Updated: Feb 18, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

perf: sched: Fix perf crash with new is_user_task() helper

In order to do a user space stacktrace the current task needs to be a user

task that has executed in user space. It use to be possible to test if a

task is a user task or not by simply checking the task_struct mm field. If

it was non NULL, it was a user task and if not it was a kernel task.

But things have changed over time, and some kernel tasks now have their

own mm field.

An idea was made to instead test PF_KTHREAD and two functions were used to

wrap this check in case it became more complex to test if a task was a

user task or not[1]. But this was rejected and the C code simply checked

the PF_KTHREAD directly.

It was later found that not all kernel threads set PF_KTHREAD. The io-uring

helpers instead set PF_USER_WORKER and this needed to be added as well.

But checking the flags is still not enough. There's a very small window

when a task exits that it frees its mm field and it is set back to NULL.

If perf were to trigger at this moment, the flags test would say its a

user space task but when perf would read the mm field it would crash with

at NULL pointer dereference.

Now there are flags that can be used to test if a task is exiting, but

they are set in areas that perf may still want to profile the user space

task (to see where it exited). The only real test is to check both the

flags and the mm field.

Instead of making this modification in every location, create a new

is_user_task() helper function that does all the tests needed to know if

it is safe to read the user space memory or not.

[1] https://lore.kernel.org/all/[email protected]/

NVD Source

Technical Analysis

CVE-2026-23159 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-23159
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedFeb 14, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23159 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.