CVE-2026-23374 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907
https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: blktrace: fix __this_cpu_read/write in preemptible context tracing_record_cmdline() internally uses __this_cpu_read() and __this_cpu_write() on the per-CPU variable trace_cmdline_save, and trace_save_cmdline() explicitly asserts preemption is disabled via lockdep_assert_preemption_disabled(). These operations are only safe when preemption is off, as they were designed to be called from the scheduler context (probe_wakeup_sched_switch() / probe_wakeup()). __blk_add_trace() was calling tracing_record_cmdline(current) early in the blk_tracer path, before ring buffer reservation, from process context where preemption is fully enabled. This triggers the following using blktests/blktrace/002: blktrace/002 (blktrace ftrace corruption with sysfs trace) [failed] runtime 0.367s ... 0.437s something found in dmesg: [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] <TASK> [ 81.362886] dump_stack_lvl+0x8d/0xb0 ... (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message) [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33 [ 81.239580] null_blk: disk nullb1 created [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516 [ 81.362842] caller is tracing_record_cmdline+0x10/0x40 [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full) [ 81.362877] Tainted: [N]=TEST [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 81.362881] Call Trace: [ 81.362884] <TASK> [ 81.362886] dump_stack_lvl+0x8d/0xb0 [ 81.362895] check_preemption_disabled+0xce/0xe0 [ 81.362902] tracing_record_cmdline+0x10/0x40 [ 81.362923] __blk_add_trace+0x307/0x5d0 [ 81.362934] ? lock_acquire+0xe0/0x300 [ 81.362940] ? iov_iter_extract_pages+0x101/0xa30 [ 81.362959] blk_add_trace_bio+0x106/0x1e0 [ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0 [ 81.362979] ? lockdep_init_map_type+0x58/0x260 [ 81.362988] submit_bio_wait+0x56/0x90 [ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250 [ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10 [ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0 [ 81.363051] blkdev_read_iter+0xc1/0x140 [ 81.363059] vfs_read+0x20b/0x330 [ 81.363083] ksys_read+0x67/0xe0 [ 81.363090] do_syscall_64+0xbf/0xf00 [ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 81.363106] RIP: 0033:0x7f281906029d [ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec [ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d [ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000 [ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000 [ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000 [ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a [ 81.363142] </TASK> The same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(), and blk_add_trace_rq() paths as well. The purpose of tracin ---truncated---
Title		blktrace: fix __this_cpu_read/write in preemptible context
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907 https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23374", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:55.117Z", "dateUpdated": "2026-03-25T10:27:55.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:55.117Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] <TASK>\n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] <TASK>\n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] </TASK>\n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/blktrace.c"], "versions": [{"version": "7ffbd48d5cab22bcd1120eb2349db1319e2d827a", "lessThan": "59efa088752b1c380a0475974679850cc8aef907", "status": "affected", "versionType": "git"}, {"version": "7ffbd48d5cab22bcd1120eb2349db1319e2d827a", "lessThan": "da46b5dfef48658d03347cda21532bcdbb521e67", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/trace/blktrace.c"], "versions": [{"version": "3.8", "status": "affected"}, {"version": "0", "lessThan": "3.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907"}, {"url": "https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67"}], "title": "blktrace: fix __this_cpu_read/write in preemptible context", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible context\n\ntracing_record_cmdline() internally uses __this_cpu_read() and\n__this_cpu_write() on the per-CPU variable trace_cmdline_save, and\ntrace_save_cmdline() explicitly asserts preemption is disabled via\nlockdep_assert_preemption_disabled(). These operations are only safe\nwhen preemption is off, as they were designed to be called from the\nscheduler context (probe_wakeup_sched_switch() / probe_wakeup()).\n\n__blk_add_trace() was calling tracing_record_cmdline(current) early in\nthe blk_tracer path, before ring buffer reservation, from process\ncontext where preemption is fully enabled. This triggers the following\nusing blktests/blktrace/002:\n\nblktrace/002 (blktrace ftrace corruption with sysfs trace) [failed]\n runtime 0.367s ... 0.437s\n something found in dmesg:\n [ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n [ 81.239580] null_blk: disk nullb1 created\n [ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n [ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n [ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n [ 81.362877] Tainted: [N]=TEST\n [ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n [ 81.362881] Call Trace:\n [ 81.362884] <TASK>\n [ 81.362886] dump_stack_lvl+0x8d/0xb0\n ...\n (See '/mnt/sda/blktests/results/nodev/blktrace/002.dmesg' for the entire message)\n\n[ 81.211018] run blktests blktrace/002 at 2026-02-25 22:24:33\n[ 81.239580] null_blk: disk nullb1 created\n[ 81.357294] BUG: using __this_cpu_read() in preemptible [00000000] code: dd/2516\n[ 81.362842] caller is tracing_record_cmdline+0x10/0x40\n[ 81.362872] CPU: 16 UID: 0 PID: 2516 Comm: dd Tainted: G N 7.0.0-rc1lblk+ #84 PREEMPT(full)\n[ 81.362877] Tainted: [N]=TEST\n[ 81.362878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\n[ 81.362881] Call Trace:\n[ 81.362884] <TASK>\n[ 81.362886] dump_stack_lvl+0x8d/0xb0\n[ 81.362895] check_preemption_disabled+0xce/0xe0\n[ 81.362902] tracing_record_cmdline+0x10/0x40\n[ 81.362923] __blk_add_trace+0x307/0x5d0\n[ 81.362934] ? lock_acquire+0xe0/0x300\n[ 81.362940] ? iov_iter_extract_pages+0x101/0xa30\n[ 81.362959] blk_add_trace_bio+0x106/0x1e0\n[ 81.362968] submit_bio_noacct_nocheck+0x24b/0x3a0\n[ 81.362979] ? lockdep_init_map_type+0x58/0x260\n[ 81.362988] submit_bio_wait+0x56/0x90\n[ 81.363009] __blkdev_direct_IO_simple+0x16c/0x250\n[ 81.363026] ? __pfx_submit_bio_wait_endio+0x10/0x10\n[ 81.363038] ? rcu_read_lock_any_held+0x73/0xa0\n[ 81.363051] blkdev_read_iter+0xc1/0x140\n[ 81.363059] vfs_read+0x20b/0x330\n[ 81.363083] ksys_read+0x67/0xe0\n[ 81.363090] do_syscall_64+0xbf/0xf00\n[ 81.363102] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 81.363106] RIP: 0033:0x7f281906029d\n[ 81.363111] Code: 31 c0 e9 c6 fe ff ff 50 48 8d 3d 66 63 0a 00 e8 59 ff 01 00 66 0f 1f 84 00 00 00 00 00 80 3d 41 33 0e 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec\n[ 81.363113] RSP: 002b:00007ffca127dd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 81.363120] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f281906029d\n[ 81.363122] RDX: 0000000000001000 RSI: 0000559f8bfae000 RDI: 0000000000000000\n[ 81.363123] RBP: 0000000000001000 R08: 0000002863a10a81 R09: 00007f281915f000\n[ 81.363124] R10: 00007f2818f77b60 R11: 0000000000000246 R12: 0000559f8bfae000\n[ 81.363126] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000a\n[ 81.363142] </TASK>\n\nThe same BUG fires from blk_add_trace_plug(), blk_add_trace_unplug(),\nand blk_add_trace_rq() paths as well.\n\nThe purpose of tracin\n---truncated---"}], "id": "CVE-2026-23374", "lastModified": "2026-03-25T11:16:37.077", "metrics": {}, "published": "2026-03-25T11:16:37.077", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/59efa088752b1c380a0475974679850cc8aef907"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/da46b5dfef48658d03347cda21532bcdbb521e67"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object