Listen to this Post
CVE-2026-23134 is a vulnerability in the Linux kernel’s memory management (slab allocator) that affects systems running with the PREEMPT_RT (Real-Time) patch set. The issue resides in the `kmalloc_nolock()` function. On standard kernels, `local_lock` is a simple mechanism, but on PREEMPT_RT kernels, it is implemented as a sleeping lock to ensure real-time guarantees. The original code in `kmalloc_nolock()` only checked for NMI (Non-Maskable Interrupt) or hard IRQ (Interrupt Request) contexts to determine if it was safe to acquire this lock. However, it failed to account for scenarios where preemption has been explicitly disabled, even if the code is not in an interrupt handler. A specific trigger was identified when a BPF (Berkeley Packet Filter) program runs from a tracepoint. In this execution path, preemption is disabled (meaning the scheduler cannot switch tasks). Because the `kmalloc_nolock()` check did not recognize this state, it proceeded to call local_lock_irqsave(), which attempted to acquire a sleeping lock. Attempting to sleep (acquire a sleeping lock) in a context where preemption is disabled (and thus scheduling is blocked) is illegal in the Linux kernel and triggers a “BUG: sleeping function called from invalid context” kernel error, leading to a system warning and potential instability. The fix modifies the context check on PREEMPT_RT systems to use !preemptible(), which correctly identifies any scenario where taking a sleeping lock is forbidden, including preemption-disabled regions, hard IRQ, and NMI contexts .
Platform: Linux Kernel
Version: 6.18 to 6.18.7
Vulnerability : Sleep-in-atomic context
Severity: Medium (CVSS 5.5)
date: 14 February 2026
Prediction: Already patched
What Undercode Say:
Analytics
This vulnerability specifically targets systems configured with the `PREEMPT_RT` patch set, which is used in real-time and low-latency environments. It does not affect standard kernel builds. The issue was introduced in kernel version 6.18 via commit `af92793e52c3` and fixed in 6.18.8 and 6.19 . The Tenable assessment provides a CVSS v3 base score of 5.5 (Medium) with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local attack with low complexity that can cause a high availability impact . Major distributions like Debian, Ubuntu, and SUSE have marked this vulnerability as “Not affected” for their stable releases because the vulnerable code was only present in a short window of upstream development and did not propagate to their Long Term Support (LTS) kernels .
How Exploit:
There is no direct “exploit” in the traditional sense of gaining code execution, but a local unprivileged user with the ability to load and trigger specific BPF programs could cause a kernel panic (Denial of Service).
1. Prerequisite: The system must be running a 6.18.x kernel compiled with `CONFIG_PREEMPT_RT` .
2. Trigger: A BPF program is attached to a tracepoint.
3. Execution: When the tracepoint is hit, the BPF program runs in a context where preemption is disabled.
4. Failure: The BPF program attempts a memory allocation that eventually calls kmalloc_nolock(). Because preemption is disabled, the flawed check allows the function to call `local_lock_irqsave()` (a sleeping lock on RT).
5. Result: The kernel detects an illegal sleep in an atomic context and panics, rendering the system unavailable .
Protection from this CVE
Protection requires updating the Linux kernel to a version containing the fix.
Patch Commitment: The fix is implemented by replacing the insufficient checks with `!preemptible()` in the `kmalloc_nolock()` function for `PREEMPT_RT` kernels .
Fixed Versions: Update to kernel version 6.18.8 or 6.19 or later .
Command to check version:
uname -r
Command to update (Debian/Ubuntu example):
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
Git Commits: The resolving commits are:
`f60ba4a97ae3` (for the 6.18.8 stable tree)
`99a3e3a1cfc9` (for the mainline 6.19 kernel)
Impact
Availability: High. Successful triggering of the bug results in a kernel “BUG” message and a system crash or hang (Denial of Service) .
Integrity: None. The vulnerability does not allow for data corruption or modification.
Confidentiality: None. The vulnerability does not leak information.
Scope: The impact is limited to the vulnerable system; it does not affect other networked devices. The bug is localized to the specific memory allocation path under specific real-time conditions .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
