HOMEVULNERABILITIESCVE-2026-23435
NONE

CVE-2026-23435

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

perf/x86: Move event pointer setup earlier in x86_pmu_enable()

A production AMD EPYC system crashed with a NULL pointer dereference

in the PMU NMI handler:

BUG: kernel NULL pointer dereference, address: 0000000000000198

RIP: x86_perf_event_update+0xc/0xa0

Call Trace:

<NMI>

amd_pmu_v2_handle_irq+0x1a6/0x390

perf_event_nmi_handler+0x24/0x40

The faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,

corresponding to the `if (unlikely(!hwc->event_base))` check in

x86_perf_event_update() where hwc = &event->hw and event is NULL.

drgn inspection of the vmcore on CPU 106 showed a mismatch between

cpuc->active_mask and cpuc->events[]:

active_mask: 0x1e (bits 1, 2, 3, 4)

events[1]: 0xff1100136cbd4f38 (valid)

events[2]: 0x0 (NULL, but active_mask bit 2 set)

events[3]: 0xff1100076fd2cf38 (valid)

events[4]: 0xff1100079e990a90 (valid)

The event that should occupy events[2] was found in event_list[2]

with hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run

(which clears hw.state and sets active_mask) but events[2] was

never populated.

Another event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),

showing it was stopped when the PMU rescheduled events, confirming the

throttle-then-reschedule sequence occurred.

The root cause is commit 7e772a93eb61 ("perf/x86: Fix NULL event access

and potential PEBS record loss") which moved the cpuc->events[idx]

assignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),

after the PERF_HES_ARCH check. This broke any path that calls

pmu->start() without going through x86_pmu_enable() -- specifically

the unthrottle path:

perf_adjust_freq_unthr_events()

-> perf_event_unthrottle_group()

-> perf_event_unthrottle()

-> event->pmu->start(event, 0)

-> x86_pmu_start() // sets active_mask but not events[]

The race sequence is:

1. A group of perf events overflows, triggering group throttle via

perf_event_throttle_group(). All events are stopped: active_mask

bits cleared, events[] preserved (x86_pmu_stop no longer clears

events[] after commit 7e772a93eb61).

2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs

due to other scheduling activity. Stopped events that need to

move counters get PERF_HES_ARCH set and events[old_idx] cleared.

In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events

to be skipped -- events[new_idx] is never set.

3. The timer tick unthrottles the group via pmu->start(). Since

commit 7e772a93eb61 removed the events[] assignment from

x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]

remains NULL.

4. A PMC overflow NMI fires. The handler iterates active counters,

finds active_mask[2] set, reads events[2] which is NULL, and

crashes dereferencing it.

Move the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to

before the PERF_HES_ARCH check, so that events[] is populated even

for events that are not immediately started. This ensures the

unthrottle path via pmu->start() always finds a valid event pointer.

NVD Source

Technical Analysis

CVE-2026-23435 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (3)

Quick Facts

CVE IDCVE-2026-23435
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23435 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.