CVE-2026-23127

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Fix refcount warning on event-&gt;mmap_count increment<br /> <br /> When calling refcount_inc(&amp;event-&gt;mmap_count) inside perf_mmap_rb(), the<br /> following warning is triggered:<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: lib/refcount.c:25<br /> <br /> PoC:<br /> <br /> struct perf_event_attr attr = {0};<br /> int fd = syscall(__NR_perf_event_open, &amp;attr, 0, -1, -1, 0);<br /> mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);<br /> int victim = syscall(__NR_perf_event_open, &amp;attr, 0, -1, fd,<br /> PERF_FLAG_FD_OUTPUT);<br /> mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0);<br /> <br /> This occurs when creating a group member event with the flag<br /> PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing<br /> the event triggers the warning.<br /> <br /> Since the event has copied the output_event in perf_event_set_output(),<br /> event-&gt;rb is set. As a result, perf_mmap_rb() calls<br /> refcount_inc(&amp;event-&gt;mmap_count) when event-&gt;mmap_count = 0.<br /> <br /> Disallow the case when event-&gt;mmap_count = 0. This also prevents two<br /> events from updating the same user_page.