CVE-2026-23107 (GCVE-0-2026-23107)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
Summary
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | ---[ end trace 0000000000000000 ]--- Fix this by having restore_za_context() ensure that the task's sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < c5a5b150992ebab779c1ce54f54676786e47e94c (git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 (git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 (git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < 70f7f54566afc23f2c71bf1411af81f5d8009e0f (git)
Affected: 39782210eb7e87634d96cacb6ece370bc59d74ba , < ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 (git)
Create a notification for this product.
    Linux Linux Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc7 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/signal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c5a5b150992ebab779c1ce54f54676786e47e94c",
              "status": "affected",
              "version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
              "versionType": "git"
            },
            {
              "lessThan": "19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214",
              "status": "affected",
              "version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
              "versionType": "git"
            },
            {
              "lessThan": "0af233d66eff90fb8f3e0fc09f2316bba0b72bb9",
              "status": "affected",
              "version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
              "versionType": "git"
            },
            {
              "lessThan": "70f7f54566afc23f2c71bf1411af81f5d8009e0f",
              "status": "affected",
              "version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
              "versionType": "git"
            },
            {
              "lessThan": "ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4",
              "status": "affected",
              "version": "39782210eb7e87634d96cacb6ece370bc59d74ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/signal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc7",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\n\nThe code to restore a ZA context doesn\u0027t attempt to allocate the task\u0027s\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\ncan place a task into an invalid state where TIF_SME is set but the\ntask\u0027s sve_state is NULL.\n\nIn legitimate but uncommon cases where the ZA signal context was NOT\ncreated by the kernel in the context of the same task (e.g. if the task\nis saved/restored with something like CRIU), we have no guarantee that\nsve_state had been allocated previously. In these cases, userspace can\nenter streaming mode without trapping while sve_state is NULL, causing a\nlater NULL pointer dereference when the kernel attempts to store the\nregister state:\n\n| # ./sigreturn-za\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n| Mem abort info:\n|   ESR = 0x0000000096000046\n|   EC = 0x25: DABT (current EL), IL = 32 bits\n|   SET = 0, FnV = 0\n|   EA = 0, S1PTW = 0\n|   FSC = 0x06: level 2 translation fault\n| Data abort info:\n|   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n|   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\n| Internal error: Oops: 0000000096000046 [#1]  SMP\n| Modules linked in:\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n| pc : sve_save_state+0x4/0xf0\n| lr : fpsimd_save_user_state+0xb0/0x1c0\n| sp : ffff80008070bcc0\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\n| Call trace:\n|  sve_save_state+0x4/0xf0 (P)\n|  fpsimd_thread_switch+0x48/0x198\n|  __switch_to+0x20/0x1c0\n|  __schedule+0x36c/0xce0\n|  schedule+0x34/0x11c\n|  exit_to_user_mode_loop+0x124/0x188\n|  el0_interrupt+0xc8/0xd8\n|  __el0_irq_handler_common+0x18/0x24\n|  el0t_64_irq_handler+0x10/0x1c\n|  el0t_64_irq+0x198/0x19c\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\n| ---[ end trace 0000000000000000 ]---\n\nFix this by having restore_za_context() ensure that the task\u0027s sve_state\nis allocated, matching what we do when taking an SME trap. Any live\nSVE/SSVE state (which is restored earlier from a separate signal\ncontext) must be preserved, and hence this is not zeroed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T16:33:30.263Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c"
        },
        {
          "url": "https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214"
        },
        {
          "url": "https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4"
        }
      ],
      "title": "arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23107",
    "datePublished": "2026-02-04T16:08:27.755Z",
    "dateReserved": "2026-01-13T15:37:45.967Z",
    "dateUpdated": "2026-02-06T16:33:30.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23107\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:21.570\",\"lastModified\":\"2026-02-06T17:16:25.717\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64/fpsimd: signal: Allocate SSVE storage when restoring ZA\\n\\nThe code to restore a ZA context doesn\u0027t attempt to allocate the task\u0027s\\nsve_state before setting TIF_SME. Consequently, restoring a ZA context\\ncan place a task into an invalid state where TIF_SME is set but the\\ntask\u0027s sve_state is NULL.\\n\\nIn legitimate but uncommon cases where the ZA signal context was NOT\\ncreated by the kernel in the context of the same task (e.g. if the task\\nis saved/restored with something like CRIU), we have no guarantee that\\nsve_state had been allocated previously. In these cases, userspace can\\nenter streaming mode without trapping while sve_state is NULL, causing a\\nlater NULL pointer dereference when the kernel attempts to store the\\nregister state:\\n\\n| # ./sigreturn-za\\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n| Mem abort info:\\n|   ESR = 0x0000000096000046\\n|   EC = 0x25: DABT (current EL), IL = 32 bits\\n|   SET = 0, FnV = 0\\n|   EA = 0, S1PTW = 0\\n|   FSC = 0x06: level 2 translation fault\\n| Data abort info:\\n|   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\\n|   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\\n|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n| user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00\\n| [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000\\n| Internal error: Oops: 0000000096000046 [#1]  SMP\\n| Modules linked in:\\n| CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT\\n| Hardware name: linux,dummy-virt (DT)\\n| pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n| pc : sve_save_state+0x4/0xf0\\n| lr : fpsimd_save_user_state+0xb0/0x1c0\\n| sp : ffff80008070bcc0\\n| x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658\\n| x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000\\n| x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40\\n| x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000\\n| x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c\\n| x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020\\n| x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0\\n| x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48\\n| x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000\\n| x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440\\n| Call trace:\\n|  sve_save_state+0x4/0xf0 (P)\\n|  fpsimd_thread_switch+0x48/0x198\\n|  __switch_to+0x20/0x1c0\\n|  __schedule+0x36c/0xce0\\n|  schedule+0x34/0x11c\\n|  exit_to_user_mode_loop+0x124/0x188\\n|  el0_interrupt+0xc8/0xd8\\n|  __el0_irq_handler_common+0x18/0x24\\n|  el0t_64_irq_handler+0x10/0x1c\\n|  el0t_64_irq+0x198/0x19c\\n| Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800)\\n| ---[ end trace 0000000000000000 ]---\\n\\nFix this by having restore_za_context() ensure that the task\u0027s sve_state\\nis allocated, matching what we do when taking an SME trap. Any live\\nSVE/SSVE state (which is restored earlier from a separate signal\\ncontext) must be preserved, and hence this is not zeroed.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.