{"id":"CVE-2026-23107","summary":"arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn't attempt to allocate the task's\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask's sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n|   ESR = 0x0000000096000046\n|   EC = 0x25: DABT (current EL), IL = 32 bits\n|   SET = 0, FnV = 0\n|   EA = 0, S1PTW = 0\n|   FSC = 0x06: level 2 translation fault\n| Data abort info:\n|   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n|   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1]  SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n|  sve_save_state+0x4/0xf0 (P)\n|  fpsimd_thread_switch+0x48/0x198\n|  __switch_to+0x20/0x1c0\n|  __schedule+0x36c/0xce0\n|  schedule+0x34/0x11c\n|  exit_to_user_mode_loop+0x124/0x188\n|  el0_interrupt+0xc8/0xd8\n|  __el0_irq_handler_common+0x18/0x24\n|  el0t_64_irq_handler+0x10/0x1c\n|  el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task's sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed.","modified":"2026-04-02T17:30:05.803700Z","published":"2026-02-04T16:08:27.755Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23107.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"},{"type":"WEB","url":"https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23107.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23107"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"39782210eb7e87634d96cacb6ece370bc59d74ba"},{"fixed":"c5a5b150992ebab779c1ce54f54676786e47e94c"},{"fixed":"19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"},{"fixed":"0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"},{"fixed":"70f7f54566afc23f2c71bf1411af81f5d8009e0f"},{"fixed":"ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23107.json"}}],"schema_version":"1.7.5"}