{"id":"CVE-2026-31528","summary":"perf: Make sure to use pmu_ctx-\u003epmu for groups","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Make sure to use pmu_ctx-\u003epmu for groups\n\nOliver reported that x86_pmu_del() ended up doing an out-of-bound memory access\nwhen group_sched_in() fails and needs to roll back.\n\nThis *should* be handled by the transaction callbacks, but he found that when\nthe group leader is a software event, the transaction handlers of the wrong PMU\nare used. Despite the move_group case in perf_event_open() and group_sched_in()\nusing pmu_ctx-\u003epmu.\n\nTurns out, inherit uses event-\u003epmu to clone the events, effectively undoing the\nmove_group case for all inherited contexts. Fix this by also making inherit use\npmu_ctx-\u003epmu, ensuring all inherited counters end up in the same pmu context.\n\nSimilarly, __perf_event_read() should use equally use pmu_ctx-\u003epmu for the\ngroup case.","modified":"2026-05-18T05:59:50.803801527Z","published":"2026-04-22T13:54:41.180Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31528.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/35f7914e54fe7f13654c22ee045b05e4b6d8062b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a696e84a8b1fafdd774bb30d62919faf844d9e4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4b9ce671960627b2505b3f64742544ae9801df97"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c759446046500a1a6785b25725725c3ff087ace"},{"type":"WEB","url":"https://git.kernel.org/stable/c/656f35b463995bee024d948440128230aacd81e1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31528.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31528"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bd27568117664b8b3e259721393df420ed51f57b"},{"fixed":"656f35b463995bee024d948440128230aacd81e1"},{"fixed":"3a696e84a8b1fafdd774bb30d62919faf844d9e4"},{"fixed":"35f7914e54fe7f13654c22ee045b05e4b6d8062b"},{"fixed":"4c759446046500a1a6785b25725725c3ff087ace"},{"fixed":"4b9ce671960627b2505b3f64742544ae9801df97"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31528.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31528.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}