{"id":"CVE-2026-23107","summary":"arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn't attempt to allocate the task's\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask's sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n|   ESR = 0x0000000096000046\n|   EC = 0x25: DABT (current EL), IL = 32 bits\n|   SET = 0, FnV = 0\n|   EA = 0, S1PTW = 0\n|   FSC = 0x06: level 2 translation fault\n| Data abort info:\n|   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n|   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1]  SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n|  sve_save_state+0x4/0xf0 (P)\n|  fpsimd_thread_switch+0x48/0x198\n|  __switch_to+0x20/0x1c0\n|  __schedule+0x36c/0xce0\n|  schedule+0x34/0x11c\n|  exit_to_user_mode_loop+0x124/0x188\n|  el0_interrupt+0xc8/0xd8\n|  __el0_irq_handler_common+0x18/0x24\n|  el0t_64_irq_handler+0x10/0x1c\n|  el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task's sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed.","modified":"2026-02-09T19:33:16.253641Z","published":"2026-02-04T16:08:27.755Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23107.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"},{"type":"WEB","url":"https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23107.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23107"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"39782210eb7e87634d96cacb6ece370bc59d74ba"},{"fixed":"c5a5b150992ebab779c1ce54f54676786e47e94c"},{"fixed":"19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"},{"fixed":"0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"},{"fixed":"70f7f54566afc23f2c71bf1411af81f5d8009e0f"},{"fixed":"ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"}]}],"versions":["v5.18","v5.18-rc4","v5.18-rc5","v5.18-rc6","v5.18-rc7","v5.19","v5.19-rc1","v5.19-rc2","v5.19-rc3","v5.19-rc4","v5.19-rc5","v5.19-rc6","v5.19-rc7","v5.19-rc8","v6.0","v6.0-rc1","v6.0-rc2","v6.0-rc3","v6.0-rc4","v6.0-rc5","v6.0-rc6","v6.0-rc7","v6.1","v6.1-rc1","v6.1-rc2","v6.1-rc3","v6.1-rc4","v6.1-rc5","v6.1-rc6","v6.1-rc7","v6.1-rc8","v6.1.1","v6.1.10","v6.1.100","v6.1.101","v6.1.102","v6.1.103","v6.1.104","v6.1.105","v6.1.106","v6.1.107","v6.1.108","v6.1.109","v6.1.11","v6.1.110","v6.1.111","v6.1.112","v6.1.113","v6.1.114","v6.1.115","v6.1.116","v6.1.117","v6.1.118","v6.1.119","v6.1.12","v6.1.120","v6.1.121","v6.1.122","v6.1.123","v6.1.124","v6.1.125","v6.1.126","v6.1.127","v6.1.128","v6.1.129","v6.1.13","v6.1.130","v6.1.131","v6.1.132","v6.1.133","v6.1.134","v6.1.135","v6.1.136","v6.1.137","v6.1.138","v6.1.139","v6.1.14","v6.1.140","v6.1.141","v6.1.142","v6.1.143","v6.1.144","v6.1.145","v6.1.146","v6.1.147","v6.1.148","v6.1.149","v6.1.15","v6.1.150","v6.1.151","v6.1.152","v6.1.153","v6.1.154","v6.1.155","v6.1.156","v6.1.157","v6.1.158","v6.1.159","v6.1.16","v6.1.160","v6.1.161","v6.1.17","v6.1.18","v6.1.19","v6.1.2","v6.1.20","v6.1.21","v6.1.22","v6.1.23","v6.1.24","v6.1.25","v6.1.26","v6.1.27","v6.1.28","v6.1.29","v6.1.3","v6.1.30","v6.1.31","v6.1.32","v6.1.33","v6.1.34","v6.1.35","v6.1.36","v6.1.37","v6.1.38","v6.1.39","v6.1.4","v6.1.40","v6.1.41","v6.1.42","v6.1.43","v6.1.44","v6.1.45","v6.1.46","v6.1.47","v6.1.48","v6.1.49","v6.1.5","v6.1.50","v6.1.51","v6.1.52","v6.1.53","v6.1.54","v6.1.55","v6.1.56","v6.1.57","v6.1.58","v6.1.59","v6.1.6","v6.1.60","v6.1.61","v6.1.62","v6.1.63","v6.1.64","v6.1.65","v6.1.66","v6.1.67","v6.1.68","v6.1.69","v6.1.7","v6.1.70","v6.1.71","v6.1.72","v6.1.73","v6.1.74","v6.1.75","v6.1.76","v6.1.77","v6.1.78","v6.1.79","v6.1.8","v6.1.80","v6.1.81","v6.1.82","v6.1.83","v6.1.84","v6.1.85","v6.1.86","v6.1.87","v6.1.88","v6.1.89","v6.1.9","v6.1.90","v6.1.91","v6.1.92","v6.1.93","v6.1.94","v6.1.95","v6.1.96","v6.1.97","v6.1.98","v6.1.99","v6.10","v6.10-rc1","v6.10-rc2","v6.10-rc3","v6.10-rc4","v6.10-rc5","v6.10-rc6","v6.10-rc7","v6.11","v6.11-rc1","v6.11-rc2","v6.11-rc3","v6.11-rc4","v6.11-rc5","v6.11-rc6","v6.11-rc7","v6.12","v6.12-rc1","v6.12-rc2","v6.12-rc3","v6.12-rc4","v6.12-rc5","v6.12-rc6","v6.12-rc7","v6.12.1","v6.12.10","v6.12.11","v6.12.12","v6.12.13","v6.12.14","v6.12.15","v6.12.16","v6.12.17","v6.12.18","v6.12.19","v6.12.2","v6.12.20","v6.12.21","v6.12.22","v6.12.23","v6.12.24","v6.12.25","v6.12.26","v6.12.27","v6.12.28","v6.12.29","v6.12.3","v6.12.30","v6.12.31","v6.12.32","v6.12.33","v6.12.34","v6.12.35","v6.12.36","v6.12.37","v6.12.38","v6.12.39","v6.12.4","v6.12.40","v6.12.41","v6.12.42","v6.12.43","v6.12.44","v6.12.45","v6.12.46","v6.12.47","v6.12.48","v6.12.49","v6.12.5","v6.12.50","v6.12.51","v6.12.52","v6.12.53","v6.12.54","v6.12.55","v6.12.56","v6.12.57","v6.12.58","v6.12.59","v6.12.6","v6.12.60","v6.12.61","v6.12.62","v6.12.63","v6.12.64","v6.12.65","v6.12.66","v6.12.67","v6.12.7","v6.12.8","v6.12.9","v6.13","v6.13-rc1","v6.13-rc2","v6.13-rc3","v6.13-rc4","v6.13-rc5","v6.13-rc6","v6.13-rc7","v6.14","v6.14-rc1","v6.14-rc2","v6.14-rc3","v6.14-rc4","v6.14-rc5","v6.14-rc6","v6.14-rc7","v6.15","v6.15-rc1","v6.15-rc2","v6.15-rc3","v6.15-rc4","v6.15-rc5","v6.15-rc6","v6.15-rc7","v6.16","v6.16-rc1","v6.16-rc2","v6.16-rc3","v6.16-rc4","v6.16-rc5","v6.16-rc6","v6.16-rc7","v6.17","v6.17-rc1","v6.17-rc2","v6.17-rc3","v6.17-rc4","v6.17-rc5","v6.17-rc6","v6.17-rc7","v6.18","v6.18-rc1","v6.18-rc2","v6.18-rc3","v6.18-rc4","v6.18-rc5","v6.18-rc6","v6.18-rc7","v6.18.1","v6.18.2","v6.18.3","v6.18.4","v6.18.5","v6.18.6","v6.18.7","v6.19-rc1","v6.2","v6.2-rc1","v6.2-rc2","v6.2-rc3","v6.2-rc4","v6.2-rc5","v6.2-rc6","v6.2-rc7","v6.2-rc8","v6.3","v6.3-rc1","v6.3-rc2","v6.3-rc3","v6.3-rc4","v6.3-rc5","v6.3-rc6","v6.3-rc7","v6.4","v6.4-rc1","v6.4-rc2","v6.4-rc3","v6.4-rc4","v6.4-rc5","v6.4-rc6","v6.4-rc7","v6.5","v6.5-rc1","v6.5-rc2","v6.5-rc3","v6.5-rc4","v6.5-rc5","v6.5-rc6","v6.5-rc7","v6.6","v6.6-rc1","v6.6-rc2","v6.6-rc3","v6.6-rc4","v6.6-rc5","v6.6-rc6","v6.6-rc7","v6.6.1","v6.6.10","v6.6.100","v6.6.101","v6.6.102","v6.6.103","v6.6.104","v6.6.105","v6.6.106","v6.6.107","v6.6.108","v6.6.109","v6.6.11","v6.6.110","v6.6.111","v6.6.112","v6.6.113","v6.6.114","v6.6.115","v6.6.116","v6.6.117","v6.6.118","v6.6.119","v6.6.12","v6.6.120","v6.6.121","v6.6.13","v6.6.14","v6.6.15","v6.6.16","v6.6.17","v6.6.18","v6.6.19","v6.6.2","v6.6.20","v6.6.21","v6.6.22","v6.6.23","v6.6.24","v6.6.25","v6.6.26","v6.6.27","v6.6.28","v6.6.29","v6.6.3","v6.6.30","v6.6.31","v6.6.32","v6.6.33","v6.6.34","v6.6.35","v6.6.36","v6.6.37","v6.6.38","v6.6.39","v6.6.4","v6.6.40","v6.6.41","v6.6.42","v6.6.43","v6.6.44","v6.6.45","v6.6.46","v6.6.47","v6.6.48","v6.6.49","v6.6.5","v6.6.50","v6.6.51","v6.6.52","v6.6.53","v6.6.54","v6.6.55","v6.6.56","v6.6.57","v6.6.58","v6.6.59","v6.6.6","v6.6.60","v6.6.61","v6.6.62","v6.6.63","v6.6.64","v6.6.65","v6.6.66","v6.6.67","v6.6.68","v6.6.69","v6.6.7","v6.6.70","v6.6.71","v6.6.72","v6.6.73","v6.6.74","v6.6.75","v6.6.76","v6.6.77","v6.6.78","v6.6.79","v6.6.8","v6.6.80","v6.6.81","v6.6.82","v6.6.83","v6.6.84","v6.6.85","v6.6.86","v6.6.87","v6.6.88","v6.6.89","v6.6.9","v6.6.90","v6.6.91","v6.6.92","v6.6.93","v6.6.94","v6.6.95","v6.6.96","v6.6.97","v6.6.98","v6.6.99","v6.7","v6.7-rc1","v6.7-rc2","v6.7-rc3","v6.7-rc4","v6.7-rc5","v6.7-rc6","v6.7-rc7","v6.7-rc8","v6.8","v6.8-rc1","v6.8-rc2","v6.8-rc3","v6.8-rc4","v6.8-rc5","v6.8-rc6","v6.8-rc7","v6.9","v6.9-rc1","v6.9-rc2","v6.9-rc3","v6.9-rc4","v6.9-rc5","v6.9-rc6","v6.9-rc7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23107.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"6.1.162"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.122"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.68"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23107.json"}}],"schema_version":"1.7.3"}