{"api_version":"1","generated_at":"2026-04-23T01:33:32+00:00","cve":"CVE-2026-23435","urls":{"html":"https://cve.report/CVE-2026-23435","api":"https://cve.report/api/cve/CVE-2026-23435.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23435","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23435"},"summary":{"title":"perf/x86: Move event pointer setup earlier in x86_pmu_enable()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000198\n  RIP: x86_perf_event_update+0xc/0xa0\n  Call Trace:\n   <NMI>\n   amd_pmu_v2_handle_irq+0x1a6/0x390\n   perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc->event_base))` check in\nx86_perf_event_update() where hwc = &event->hw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc->active_mask and cpuc->events[]:\n\n  active_mask: 0x1e (bits 1, 2, 3, 4)\n  events[1]:   0xff1100136cbd4f38  (valid)\n  events[2]:   0x0                 (NULL, but active_mask bit 2 set)\n  events[3]:   0xff1100076fd2cf38  (valid)\n  events[4]:   0xff1100079e990a90  (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc->events[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu->start() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n  perf_adjust_freq_unthr_events()\n    -> perf_event_unthrottle_group()\n      -> perf_event_unthrottle()\n        -> event->pmu->start(event, 0)\n          -> x86_pmu_start()     // sets active_mask but not events[]\n\nThe race sequence is:\n\n  1. A group of perf events overflows, triggering group throttle via\n     perf_event_throttle_group(). All events are stopped: active_mask\n     bits cleared, events[] preserved (x86_pmu_stop no longer clears\n     events[] after commit 7e772a93eb61).\n\n  2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n     due to other scheduling activity. Stopped events that need to\n     move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n     In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n     to be skipped -- events[new_idx] is never set.\n\n  3. The timer tick unthrottles the group via pmu->start(). Since\n     commit 7e772a93eb61 removed the events[] assignment from\n     x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n     remains NULL.\n\n  4. A PMC overflow NMI fires. The handler iterates active counters,\n     finds active_mask[2] set, reads events[2] which is NULL, and\n     crashes dereferencing it.\n\nMove the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu->start() always finds a valid event pointer.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-03 16:16:25","updated_at":"2026-04-07 13:21:09"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/8d5fae6011260de209aaf231120e8146b14bc8e0","name":"https://git.kernel.org/stable/c/8d5fae6011260de209aaf231120e8146b14bc8e0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/886fa869153917d902784098922defa20c3a2fe5","name":"https://git.kernel.org/stable/c/886fa869153917d902784098922defa20c3a2fe5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb","name":"https://git.kernel.org/stable/c/c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23435","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23435","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e 886fa869153917d902784098922defa20c3a2fe5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e772a93eb61cb6265bdd1c5bde17d0f2718b452 c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7e772a93eb61cb6265bdd1c5bde17d0f2718b452 8d5fae6011260de209aaf231120e8146b14bc8e0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cf69b99805c263117305ac6dffbc85aaf9259d32 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.10 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0-rc5 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23435","cve":"CVE-2026-23435","epss":"0.000170000","percentile":"0.039750000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/x86/events/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"886fa869153917d902784098922defa20c3a2fe5","status":"affected","version":"6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e","versionType":"git"},{"lessThan":"c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb","status":"affected","version":"7e772a93eb61cb6265bdd1c5bde17d0f2718b452","versionType":"git"},{"lessThan":"8d5fae6011260de209aaf231120e8146b14bc8e0","status":"affected","version":"7e772a93eb61cb6265bdd1c5bde17d0f2718b452","versionType":"git"},{"status":"affected","version":"cf69b99805c263117305ac6dffbc85aaf9259d32","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/x86/events/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.19"},{"lessThan":"6.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0-rc5","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"6.18.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.10","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0-rc5","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17.13","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000198\n  RIP: x86_perf_event_update+0xc/0xa0\n  Call Trace:\n   <NMI>\n   amd_pmu_v2_handle_irq+0x1a6/0x390\n   perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc->event_base))` check in\nx86_perf_event_update() where hwc = &event->hw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc->active_mask and cpuc->events[]:\n\n  active_mask: 0x1e (bits 1, 2, 3, 4)\n  events[1]:   0xff1100136cbd4f38  (valid)\n  events[2]:   0x0                 (NULL, but active_mask bit 2 set)\n  events[3]:   0xff1100076fd2cf38  (valid)\n  events[4]:   0xff1100079e990a90  (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc->events[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu->start() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n  perf_adjust_freq_unthr_events()\n    -> perf_event_unthrottle_group()\n      -> perf_event_unthrottle()\n        -> event->pmu->start(event, 0)\n          -> x86_pmu_start()     // sets active_mask but not events[]\n\nThe race sequence is:\n\n  1. A group of perf events overflows, triggering group throttle via\n     perf_event_throttle_group(). All events are stopped: active_mask\n     bits cleared, events[] preserved (x86_pmu_stop no longer clears\n     events[] after commit 7e772a93eb61).\n\n  2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n     due to other scheduling activity. Stopped events that need to\n     move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n     In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n     to be skipped -- events[new_idx] is never set.\n\n  3. The timer tick unthrottles the group via pmu->start(). Since\n     commit 7e772a93eb61 removed the events[] assignment from\n     x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n     remains NULL.\n\n  4. A PMC overflow NMI fires. The handler iterates active counters,\n     finds active_mask[2] set, reads events[2] which is NULL, and\n     crashes dereferencing it.\n\nMove the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu->start() always finds a valid event pointer."}],"providerMetadata":{"dateUpdated":"2026-04-03T15:15:20.465Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/886fa869153917d902784098922defa20c3a2fe5"},{"url":"https://git.kernel.org/stable/c/c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb"},{"url":"https://git.kernel.org/stable/c/8d5fae6011260de209aaf231120e8146b14bc8e0"}],"title":"perf/x86: Move event pointer setup earlier in x86_pmu_enable()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23435","datePublished":"2026-04-03T15:15:20.465Z","dateReserved":"2026-01-13T15:37:46.017Z","dateUpdated":"2026-04-03T15:15:20.465Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-03 16:16:25","lastModifiedDate":"2026-04-07 13:21:09","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23435","Ordinal":"1","Title":"perf/x86: Move event pointer setup earlier in x86_pmu_enable()","CVE":"CVE-2026-23435","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23435","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000198\n  RIP: x86_perf_event_update+0xc/0xa0\n  Call Trace:\n   <NMI>\n   amd_pmu_v2_handle_irq+0x1a6/0x390\n   perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc->event_base))` check in\nx86_perf_event_update() where hwc = &event->hw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc->active_mask and cpuc->events[]:\n\n  active_mask: 0x1e (bits 1, 2, 3, 4)\n  events[1]:   0xff1100136cbd4f38  (valid)\n  events[2]:   0x0                 (NULL, but active_mask bit 2 set)\n  events[3]:   0xff1100076fd2cf38  (valid)\n  events[4]:   0xff1100079e990a90  (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc->events[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu->start() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n  perf_adjust_freq_unthr_events()\n    -> perf_event_unthrottle_group()\n      -> perf_event_unthrottle()\n        -> event->pmu->start(event, 0)\n          -> x86_pmu_start()     // sets active_mask but not events[]\n\nThe race sequence is:\n\n  1. A group of perf events overflows, triggering group throttle via\n     perf_event_throttle_group(). All events are stopped: active_mask\n     bits cleared, events[] preserved (x86_pmu_stop no longer clears\n     events[] after commit 7e772a93eb61).\n\n  2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n     due to other scheduling activity. Stopped events that need to\n     move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n     In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n     to be skipped -- events[new_idx] is never set.\n\n  3. The timer tick unthrottles the group via pmu->start(). Since\n     commit 7e772a93eb61 removed the events[] assignment from\n     x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n     remains NULL.\n\n  4. A PMC overflow NMI fires. The handler iterates active counters,\n     finds active_mask[2] set, reads events[2] which is NULL, and\n     crashes dereferencing it.\n\nMove the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu->start() always finds a valid event pointer.","Type":"Description","Title":"perf/x86: Move event pointer setup earlier in x86_pmu_enable()"}]}}}