{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23115", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.969Z", "datePublished": "2026-02-14T15:09:47.826Z", "dateUpdated": "2026-02-14T15:09:47.826Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T15:09:47.826Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty->port race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty->port has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty->port warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n printk: legacy console [ttyMSM0] enabled\n printk: legacy console [ttyMSM0] enabled\n printk: legacy bootconsole [qcom_geni0] disabled\n printk: legacy bootconsole [qcom_geni0] disabled\n ------------[ cut here ]------------\n tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver!\n WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n ...\n Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c): user-space:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | open console\n | ...\n | tty_init_dev()\n | driver->ports[idx] is NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() <- set driver->ports[idx]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/serial_core.c"], "versions": [{"version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c", "lessThan": "2501c49306238b54a2de0f93de43d50ab6e76c84", "status": "affected", "versionType": "git"}, {"version": "bfc467db60b76c30ca1f7f02088a219b6d5b6e8c", "lessThan": "32f37e57583f869140cff445feedeea8a5fea986", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/serial_core.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84"}, {"url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986"}], "title": "serial: Fix not set tty->port race condition", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty->port race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty->port has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty->port warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n printk: legacy console [ttyMSM0] enabled\n printk: legacy console [ttyMSM0] enabled\n printk: legacy bootconsole [qcom_geni0] disabled\n printk: legacy bootconsole [qcom_geni0] disabled\n ------------[ cut here ]------------\n tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver!\n WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n ...\n Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c): user-space:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | open console\n | ...\n | tty_init_dev()\n | driver->ports[idx] is NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() <- set driver->ports[idx]"}], "id": "CVE-2026-23115", "lastModified": "2026-02-14T15:16:06.607", "metrics": {}, "published": "2026-02-14T15:16:06.607", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}