{"id":"CVE-2026-23088","summary":"tracing: Fix crash on synthetic stacktrace field usage","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix crash on synthetic stacktrace field usage\n\nWhen creating a synthetic event based on an existing synthetic event that\nhad a stacktrace field and the new synthetic event used that field a\nkernel crash occurred:\n\n ~# cd /sys/kernel/tracing\n ~# echo 's:stack unsigned long stack[];' \u003e dynamic_events\n ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' \u003e\u003e events/sched/sched_switch/trigger\n ~# echo 'hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)' \u003e\u003e events/sched/sched_switch/trigger\n\nThe above creates a synthetic event that takes a stacktrace when a task\nschedules out in a non-running state and passes that stacktrace to the\nsched_switch event when that task schedules back in. It triggers the\n\"stack\" synthetic event that has a stacktrace as its field (called \"stack\").\n\n ~# echo 's:syscall_stack s64 id; unsigned long stack[];' \u003e\u003e dynamic_events\n ~# echo 'hist:keys=common_pid:s2=stack' \u003e\u003e events/synthetic/stack/trigger\n ~# echo 'hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)' \u003e\u003e events/raw_syscalls/sys_exit/trigger\n\nThe above makes another synthetic event called \"syscall_stack\" that\nattaches the first synthetic event (stack) to the sys_exit trace event and\nrecords the stacktrace from the stack event with the id of the system call\nthat is exiting.\n\nWhen enabling this event (or using it in a historgram):\n\n ~# echo 1 \u003e events/synthetic/syscall_stack/enable\n\nProduces a kernel crash!\n\n BUG: unable to handle page fault for address: 0000000000400010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP PTI\n CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy)  Debian 6.16.3-1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014\n RIP: 0010:trace_event_raw_event_synth+0x90/0x380\n Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 \u003c49\u003e 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f\n RSP: 0018:ffffd2670388f958 EFLAGS: 00010202\n RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0\n RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50\n R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010\n R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90\n FS:  00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0\n Call Trace:\n  \u003cTASK\u003e\n  ? __tracing_map_insert+0x208/0x3a0\n  action_trace+0x67/0x70\n  event_hist_trigger+0x633/0x6d0\n  event_triggers_call+0x82/0x130\n  trace_event_buffer_commit+0x19d/0x250\n  trace_event_raw_event_sys_exit+0x62/0xb0\n  syscall_exit_work+0x9d/0x140\n  do_syscall_64+0x20a/0x2f0\n  ? trace_event_raw_event_sched_switch+0x12b/0x170\n  ? save_fpregs_to_fpstate+0x3e/0x90\n  ? _raw_spin_unlock+0xe/0x30\n  ? finish_task_switch.isra.0+0x97/0x2c0\n  ? __rseq_handle_notify_resume+0xad/0x4c0\n  ? __schedule+0x4b8/0xd00\n  ? restore_fpregs_from_fpstate+0x3c/0x90\n  ? switch_fpu_return+0x5b/0xe0\n  ? do_syscall_64+0x1ef/0x2f0\n  ? do_fault+0x2e9/0x540\n  ? __handle_mm_fault+0x7d1/0xf70\n  ? count_memcg_events+0x167/0x1d0\n  ? handle_mm_fault+0x1d7/0x2e0\n  ? do_user_addr_fault+0x2c3/0x7f0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe reason is that the stacktrace field is not labeled as such, and is\ntreated as a normal field and not as a dynamic event that it is.\n\nIn trace_event_raw_event_synth() the event is field is still treated as a\ndynamic array, but the retrieval of the data is considered a normal field,\nand the reference is just the meta data:\n\n// Meta data is retrieved instead of a dynamic array\n---truncated---","modified":"2026-04-18T18:29:43.375019913Z","published":"2026-02-04T16:08:11.717Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","SUSE-SU-2026:21114-1","SUSE-SU-2026:21123-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23088.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23088.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23088"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"00cf3d672a9dd409418647e9f98784c339c3ff63"},{"fixed":"98ecbfb2598c9c7ca755a29f402da9d36c057077"},{"fixed":"327af07dff6ab5650b21491eb4f69694999ff3d1"},{"fixed":"3b90d099efa2b67239bd3b3dc3521ec584261748"},{"fixed":"90f9f5d64cae4e72defd96a2a22760173cb3c9ec"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"b9453380c1c542fd095a4dbe9251eeba4022bbce"},{"last_affected":"5f52389bdd9eafb63b3a2f804e02aeb17b6a5f55"},{"last_affected":"f3baa42afeea0d5f04ad31525e861199d02210cc"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23088.json"}}],"schema_version":"1.7.5"}