CVE-2026-46272: Linux CoreSight TMC-ETR Race Condition DoS
CVE-2026-46272 is a race condition in the Linux kernel's CoreSight Trace Memory Controller (TMC) Embedded Trace Receiver (ETR) driver. When a system attempts to run both performance tracing (perf) and sysfs-based hardware tracing simultaneously, a timing gap between buffer allocation and hardware enablement in sysfs mode allows the perf mode to initialize its own buffer state. This causes sysfs mode to later detect the unexpected state and trigger a kernel warning, resulting in denial of service through system instability. The vulnerability exists because the sysfs enablement process was split across two separate locking regions, creating a window where perf mode could intervene.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]--- Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock) With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in drivers/hwtracing/coresight/coresight-tmc-etr.c at the tmc_etr_enable_hw() function. The issue stems from a classic check-then-act race condition where sysfs mode first allocates a buffer under spinlock protection via tmc_etr_get_sysfs_buffer(), releases the lock, and later reacquires it to call tmc_etr_enable_hw(). During this window, perf mode can acquire the spinlock, initialize the device's etr_buf pointer to its own buffer, and release the lock. When sysfs mode subsequently calls tmc_etr_enable_hw(), the function's WARN_ON(drvdata->etr_buf) check fails because the buffer is already initialized—not by sysfs, but by perf. The fix implements a double-check pattern in sysfs mode's get_etr_sysfs_buf function to verify perf mode is not already running before proceeding with buffer allocation, eliminating the race window entirely.
Business impact
This vulnerability causes kernel warnings and denial of service conditions in systems that use CoreSight hardware tracing—primarily found in ARM-based servers, embedded systems, and SoCs with advanced debugging capabilities. The impact is moderate because triggering the condition requires simultaneous mixed usage of tracing modes (perf and sysfs) via local privileged access. However, on systems where both interfaces are active or monitored, it can lead to unpredictable kernel behavior, system instability, or crashes during troubleshooting and performance analysis workflows. Organizations relying on continuous hardware-level tracing for debugging or profiling may experience service interruptions.
Affected systems
The vulnerability affects the Linux kernel's CoreSight TMC-ETR driver, which is used on ARM-based platforms with hardware tracing capabilities. This includes ARM servers (Ampere Altra, Graviton, Neoverse-based), Qualcomm Snapdragon platforms, and various embedded systems with CoreSight support. The vulnerability is triggered only when both perf tracing and sysfs hardware tracing interfaces are actively managed, requiring local system access and elevated privileges. Non-ARM systems or systems not using CoreSight hardware tracing are unaffected.
Exploitability
Exploitability is limited by multiple factors: the attack vector is local-only, privileged user or developer access is required to write to sysfs tracing interfaces and invoke perf commands, and the race condition itself requires precise timing to manifest. The WARN_ON() trigger is probabilistic rather than deterministic, depending on CPU scheduling and system load. While a privileged attacker could intentionally trigger this by rapidly alternating perf and sysfs tracing operations, the primary risk is accidental concurrent usage by system administrators or developers. This is classified as a denial of service vulnerability rather than a confidentiality or integrity threat.
Remediation
Apply the kernel patch that implements double-check verification in the sysfs buffer allocation path. The fix ensures tmc_etr_enable_hw() verifies perf mode is not already active before attempting sysfs enablement, closing the race window. After patching, the driver gracefully avoids buffer allocation when perf mode is detected, preventing the WARN_ON() condition entirely. Verify the patch is present in your kernel version or compile a kernel with the fix applied. No workarounds are available for unpatched systems other than avoiding simultaneous use of perf and sysfs tracing interfaces.
Patch guidance
Identify your Linux kernel version and verify the patch has been integrated. Check the CoreSight TMC driver source (coresight-tmc-etr.c) for the double-check logic in tmc_etr_get_sysfs_buffer() that validates perf mode before proceeding. If running a distribution kernel, check your vendor's security advisory for the specific kernel package version containing this fix. For upstream kernels, the fix is present in the mainline commit that resolves this race condition. Test patched systems by attempting concurrent perf and sysfs tracing to confirm the WARN_ON() no longer triggers. Document your kernel baseline version and patch date for compliance tracking.
Detection guidance
Monitor kernel logs for WARN_ON() messages originating from tmc_etr_enable_hw() at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060. Systems exhibiting this warning are running vulnerable code and attempting concurrent perf and sysfs tracing. Check system audit logs for simultaneous writes to sysfs CoreSight trace control files combined with active perf tracing sessions. On affected platforms, enable CoreSight driver debug logging to capture race condition indicators. While no CVE-specific attack signatures exist, observing this kernel warning is a strong indicator of either accidental misconfiguration or deliberate stress-testing of tracing interfaces.
Why prioritize this
Although classified as MEDIUM severity (CVSS 4.7) due to local-only attack vector, elevated privilege requirement, and denial-of-service impact, this vulnerability should be prioritized for patching on any ARM-based infrastructure where CoreSight hardware tracing is actively used for production debugging, performance analysis, or telemetry collection. The fix is straightforward and low-risk, making remediation a high-value defensive measure. Systems where tracing is not actively used face minimal practical risk and can defer patching to routine maintenance windows.
Risk score, explained
The CVSS 4.7 MEDIUM score reflects the vulnerability's local attack vector (AV:L), high attack complexity due to race condition timing requirements (AC:H), low privilege requirement (PR:L—any local user can write to sysfs), no user interaction needed (UI:N), unchanged scope (S:U), and unavailability impact only (A:H with no C:N or I:N). The high complexity factor appropriately discounts the exploitability because reliably triggering the race requires specific timing and system state. The score appropriately prioritizes the availability impact without inflating risk for confidentiality or integrity concerns.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46272 requires local system access and elevated privileges (ability to write to sysfs CoreSight control files and invoke perf commands). Remote exploitation is not possible.
What is the difference between perf and sysfs tracing modes?
Perf mode is the performance event tracing subsystem used by the perf command-line tool for profiling applications and system performance. Sysfs mode provides direct hardware trace control via the sysfs filesystem interface. Both access the same underlying CoreSight hardware, and the fix prevents them from conflicting when used simultaneously.
If I only use perf tracing, am I affected?
If you use only perf tracing and never access sysfs CoreSight control files, this vulnerability cannot be triggered in your environment. The race condition requires both interfaces to be active concurrently. However, patching is still recommended for defense-in-depth.
Are all Linux systems vulnerable?
No. Only systems with ARM-based processors that include CoreSight hardware tracing capabilities (primarily ARM servers and embedded platforms) are affected. x86/x64 systems, systems without CoreSight support, or kernels not compiled with CoreSight drivers are not vulnerable.
This analysis is based on CVE-2026-46272 as published and the technical description provided. Patch availability, specific affected kernel versions, and vendor-specific guidance should be verified against official Linux kernel advisories and your system vendor's security updates. This vulnerability analysis does not constitute a guarantee of security—conduct your own risk assessment and testing in your environment. No exploit code or proof-of-concept instructions are provided. Organizations should implement patching and monitoring within their own security and change management frameworks. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46187MEDIUMLinux RSI Driver Use-After-Free Vulnerability (CVSS 4.7)
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-46157HIGHLinux Kernel ALSA PCM OSS Data Race Vulnerability
- CVE-2026-47741MEDIUMShopper Discount Over-Redemption Race Condition (MEDIUM)
- CVE-2026-10565LOWRace Condition in Open5GS NGAP Handover Affects 5G Service Continuity
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout