Vulnerability Database / CVE-2026-23088 CVE-2026-23088: Linux Kernel Privilege Escalation Flaw CVE-2026-23088 is a privilege escalation vulnerability in the Linux kernel tracing subsystem that causes crashes when synthetic stacktrace fields are used. This article covers technical details, affected versions, and mitigations. Published : February 6, 2026 CVE-2026-23088 Overview CVE-2026-23088 is a kernel vulnerability in the Linux kernel's tracing subsystem that causes a system crash when creating and enabling synthetic events that utilize stacktrace fields from other synthetic events. The vulnerability occurs in the trace_event_raw_event_synth() function where stacktrace fields are incorrectly treated as normal fields rather than dynamic arrays, leading to improper memory access and a kernel panic. Critical Impact This vulnerability allows local users with access to the tracing filesystem (/sys/kernel/tracing) to trigger a kernel crash through manipulation of synthetic events with stacktrace fields, resulting in a denial of service condition. Affected Products Linux kernel with tracing subsystem enabled Systems with /sys/kernel/tracing accessible to users Linux kernel versions prior to the security patches Discovery Timeline February 4, 2026 - CVE CVE-2026-23088 published to NVD February 5, 2026 - Last updated in NVD database Technical Details for CVE-2026-23088 Vulnerability Analysis The vulnerability resides in the Linux kernel's tracing subsystem, specifically in how synthetic events handle stacktrace fields inherited from other synthetic events. When a synthetic event is created that references a stacktrace field from another synthetic event, and that new event is subsequently enabled or used in a histogram, the kernel crashes with a page fault. The crash occurs because the stacktrace field is not properly labeled as a dynamic array type. In trace_event_raw_event_synth() , the event field is still treated as a dynamic array for storage purposes, but the data retrieval mechanism treats it as a normal field. This mismatch causes the code to access metadata instead of the actual dynamic array data, resulting in an invalid memory access at address 0x0000000000400010 . The issue manifests when chaining synthetic events together. A user creates a first synthetic event with a stacktrace field, attaches it to a trigger, then creates a second synthetic event that references the stacktrace from the first event. Upon enabling the second synthetic event, the kernel attempts to read from an invalid memory location. Root Cause The root cause is a type mismatch in the synthetic event handling code. Stacktrace fields in synthetic events require special handling as dynamic arrays, but when these fields are passed between synthetic events, the type information is lost. The receiving synthetic event treats the stacktrace field reference as a simple field value rather than a pointer to a dynamic array structure. Specifically, in trace_event_raw_event_synth() , the code path for processing event fields checks whether a field is a dynamic array but fails to account for the case where a stacktrace field is inherited from another synthetic event. The field's is_stack or equivalent flag is not properly propagated during event creation. Attack Vector The attack requires local access to the system with permissions to write to the tracing filesystem, typically located at /sys/kernel/tracing . An attacker would perform the following sequence: Create an initial synthetic event with a stacktrace field Attach the synthetic event to an existing trace event using histogram triggers Create a second synthetic event that references the stacktrace from the first event Enable the second synthetic event or use it in a histogram trigger The kernel will crash when attempting to process the chained stacktrace field, causing a denial of service. This attack does not require elevated privileges beyond write access to the tracing filesystem, which may be available to non-root users in certain configurations. Detection Methods for CVE-2026-23088 Indicators of Compromise Kernel crash logs showing page fault at address 0x0000000000400010 or similar low memory addresses Oops messages referencing trace_event_raw_event_synth in the call trace System crashes occurring after manipulation of files in /sys/kernel/tracing/dynamic_events or trigger files BUG messages indicating supervisor read access in kernel mode with error code 0x0000 Detection Strategies Monitor for unusual activity in the /sys/kernel/tracing filesystem, particularly writes to dynamic_events and trigger files Implement kernel log monitoring for crash signatures containing trace_event_raw_event_synth function references Track process access patterns to the tracing subsystem, especially sequences of synthetic event creation followed by enabling Monitoring Recommendations Enable kernel auditing for write operations to /sys/kernel/tracing/dynamic_events and event trigger files Configure crash d