{"api_version":"1","generated_at":"2026-06-02T17:42:04+00:00","cve":"CVE-2026-23309","urls":{"html":"https://cve.report/CVE-2026-23309","api":"https://cve.report/api/cve/CVE-2026-23309.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23309","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23309"},"summary":{"title":"tracing: Add NULL pointer check to trigger_data_free()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:26","updated_at":"2026-05-28 14:24:05"},"problem_types":["CWE-476"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93","name":"https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3","name":"https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e","name":"https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57","name":"https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274","name":"https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643","name":"https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23309","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23309","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c10f0efe57728508d796ae4ba7abe4c14ec3d8ef 13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e6556e9329bc484e9dcdab6e346d959267c0636 59c15b9cc453b74beb9f04c6c398717e73612dc3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9b0513905e0598b9f8cfccab8e47497aed5d935d 42b380f97d65e76e7b310facd525f730272daf57 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 335dfe4bc6368e70e8c15419375cf609c4f85558 2ce8ece5a78da67834db7728edc801889a64f643 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e42efbe9754da78eafe11f6bd3ca9c8a094a752a 477469223b2b840f436ce204333de87cb17e5d93 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0550069cc25f513ce1f109c88f7c1f01d63297db 457965c13f0837a289c9164b842d0860133f6274 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.165 6.1.167 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.128 6.6.130 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.75 6.12.77 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.14 6.18.17 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19.4 6.19.7 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23309","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/trace/trace_events_trigger.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e","status":"affected","version":"c10f0efe57728508d796ae4ba7abe4c14ec3d8ef","versionType":"git"},{"lessThan":"59c15b9cc453b74beb9f04c6c398717e73612dc3","status":"affected","version":"7e6556e9329bc484e9dcdab6e346d959267c0636","versionType":"git"},{"lessThan":"42b380f97d65e76e7b310facd525f730272daf57","status":"affected","version":"9b0513905e0598b9f8cfccab8e47497aed5d935d","versionType":"git"},{"lessThan":"2ce8ece5a78da67834db7728edc801889a64f643","status":"affected","version":"335dfe4bc6368e70e8c15419375cf609c4f85558","versionType":"git"},{"lessThan":"477469223b2b840f436ce204333de87cb17e5d93","status":"affected","version":"e42efbe9754da78eafe11f6bd3ca9c8a094a752a","versionType":"git"},{"lessThan":"457965c13f0837a289c9164b842d0860133f6274","status":"affected","version":"0550069cc25f513ce1f109c88f7c1f01d63297db","versionType":"git"}]},{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/trace/trace_events_trigger.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6.1.167","status":"affected","version":"6.1.165","versionType":"semver"},{"lessThan":"6.6.130","status":"affected","version":"6.6.128","versionType":"semver"},{"lessThan":"6.12.77","status":"affected","version":"6.12.75","versionType":"semver"},{"lessThan":"6.18.17","status":"affected","version":"6.18.14","versionType":"semver"},{"lessThan":"6.19.7","status":"affected","version":"6.19.4","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"6.1.165","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"6.6.128","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"6.12.75","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.17","versionStartIncluding":"6.18.14","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"6.19.4","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y."}],"providerMetadata":{"dateUpdated":"2026-05-11T22:04:23.455Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/13dcd9269e225e4c4ceabdaeebe2ce4661b54c6e"},{"url":"https://git.kernel.org/stable/c/59c15b9cc453b74beb9f04c6c398717e73612dc3"},{"url":"https://git.kernel.org/stable/c/42b380f97d65e76e7b310facd525f730272daf57"},{"url":"https://git.kernel.org/stable/c/2ce8ece5a78da67834db7728edc801889a64f643"},{"url":"https://git.kernel.org/stable/c/477469223b2b840f436ce204333de87cb17e5d93"},{"url":"https://git.kernel.org/stable/c/457965c13f0837a289c9164b842d0860133f6274"}],"title":"tracing: Add NULL pointer check to trigger_data_free()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23309","datePublished":"2026-03-25T10:27:04.828Z","dateReserved":"2026-01-13T15:37:45.994Z","dateUpdated":"2026-05-11T22:04:23.455Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:26","lastModifiedDate":"2026-05-28 14:24:05","problem_types":["CWE-476"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.165","versionEndExcluding":"6.1.167","matchCriteriaId":"D54E2FD5-7EF9-426A-9AE1-8E8DA970BCC8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.128","versionEndExcluding":"6.6.130","matchCriteriaId":"2099D3D0-97C6-44C5-913D-E616B07A9237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.75","versionEndExcluding":"6.12.77","matchCriteriaId":"84A22880-A425-402F-879A-9309659E3D36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.14","versionEndExcluding":"6.18.17","matchCriteriaId":"4AEF99ED-2A46-4ECD-A9A4-D4D616C3DEE3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.4","versionEndExcluding":"6.19.7","matchCriteriaId":"EABFC675-2A5E-4569-92F7-1E8942DA0683"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23309","Ordinal":"1","Title":"tracing: Add NULL pointer check to trigger_data_free()","CVE":"CVE-2026-23309","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23309","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Add NULL pointer check to trigger_data_free()\n\nIf trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse()\njumps to the out_free error path. While kfree() safely handles a NULL\npointer, trigger_data_free() does not. This causes a NULL pointer\ndereference in trigger_data_free() when evaluating\ndata->cmd_ops->set_filter.\n\nFix the problem by adding a NULL pointer check to trigger_data_free().\n\nThe problem was found by an experimental code review agent based on\ngemini-3.1-pro while reviewing backports into v6.18.y.","Type":"Description","Title":"tracing: Add NULL pointer check to trigger_data_free()"}]}}}