{"api_version":"1","generated_at":"2026-04-19T01:15:03+00:00","cve":"CVE-2026-23374","urls":{"html":"https://cve.report/CVE-2026-23374","api":"https://cve.report/api/cve/CVE-2026-23374.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23374","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23374"},"summary":{"title":"blktrace: fix __this_cpu_read/write in preemptible context","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] \n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] \n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] \n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:37","updated_at":"2026-04-18 09:16:22"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67","name":"https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907","name":"https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e5584932ac1dacc182c430d09e2b5490d1d4372b","name":"https://git.kernel.org/stable/c/e5584932ac1dacc182c430d09e2b5490d1d4372b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23374","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23374","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7ffbd48d5cab22bcd1120eb2349db1319e2d827a e5584932ac1dacc182c430d09e2b5490d1d4372b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7ffbd48d5cab22bcd1120eb2349db1319e2d827a 59efa088752b1c380a0475974679850cc8aef907 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7ffbd48d5cab22bcd1120eb2349db1319e2d827a da46b5dfef48658d03347cda21532bcdbb521e67 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.8","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.82 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23374","cve":"CVE-2026-23374","epss":"0.000220000","percentile":"0.058780000","score_date":"2026-04-18","updated_at":"2026-04-19 00:10:43"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/trace/blktrace.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"e5584932ac1dacc182c430d09e2b5490d1d4372b","status":"affected","version":"7ffbd48d5cab22bcd1120eb2349db1319e2d827a","versionType":"git"},{"lessThan":"59efa088752b1c380a0475974679850cc8aef907","status":"affected","version":"7ffbd48d5cab22bcd1120eb2349db1319e2d827a","versionType":"git"},{"lessThan":"da46b5dfef48658d03347cda21532bcdbb521e67","status":"affected","version":"7ffbd48d5cab22bcd1120eb2349db1319e2d827a","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/trace/blktrace.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.8"},{"lessThan":"3.8","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.82","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.82","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"3.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] \n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] \n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] \n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-04-18T08:58:20.182Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/e5584932ac1dacc182c430d09e2b5490d1d4372b"},{"url":"https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907"},{"url":"https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67"}],"title":"blktrace: fix __this_cpu_read/write in preemptible context","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23374","datePublished":"2026-03-25T10:27:55.117Z","dateReserved":"2026-01-13T15:37:46.003Z","dateUpdated":"2026-04-18T08:58:20.182Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:37","lastModifiedDate":"2026-04-18 09:16:22","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23374","Ordinal":"1","Title":"blktrace: fix __this_cpu_read/write in preemptible context","CVE":"CVE-2026-23374","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23374","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] \n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] \n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] \n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---","Type":"Description","Title":"blktrace: fix __this_cpu_read/write in preemptible context"}]}}}