Expired Pointer Dereference Affecting libperf package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS10-LIBPERF-17449466
- published25 Jun 2026
- disclosed24 Jun 2026
Introduced: 24 Jun 2026
NewCVE-2026-52923 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 libperf.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libperf package and not the libperf package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
ipc: limit next_id allocation to the valid ID range
The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. ipc_idr_alloc() currently forwards that request to idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can spill beyond ipc_mni. The returned SysV IPC id still uses the normal index encoding, so later lookup and removal can target the wrong slot. This leaves the real IDR entry behind and breaks the IDR state for the object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idr_alloc() can spill past ipc_mni and allocate an entry beyond the valid IPC id range.
The new object id is still encoded with the narrower SysV IPC index width:
new->id = (new->seq << ipcmni_seq_shift()) + idxLater removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)That truncates the real IDR index. An object actually stored at a high index can then be removed as if it lived at a low in-range index.
For shared memory, shm_destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer.
A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the checkpoint/restore path fails once the valid range is exhausted.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2492094
- https://access.redhat.com/security/cve/CVE-2026-52923
- https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f
- https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5
- https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456
- https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef
- https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e
- https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04
- https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed
- https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139