Skip to main content

Linux CVE-2026-23371

| EUVDEUVD-2026-15357 MEDIUM
2026-03-25 Linux GHSA-55fv-ccjv-2hr3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 16:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15357
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting

Running stress-ng --schedpolicy 0 on an RT kernel on a big machine might lead to the following WARNINGs (edited).

sched: DL de-boosted task PID 22725: REPLENISH flag missing

WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 ... (running_bw underflow) Call trace: dequeue_task_dl+0x15c/0x1f8 (P) dequeue_task+0x80/0x168 deactivate_task+0x24/0x50 push_dl_task+0x264/0x2e0 dl_task_timer+0x1b0/0x228 __hrtimer_run_queues+0x188/0x378 hrtimer_interrupt+0xfc/0x260 ...

The problem is that when a SCHED_DEADLINE task (lock holder) is changed to a lower priority class via sched_setscheduler(), it may fail to properly inherit the parameters of potential DEADLINE donors if it didn't already inherit them in the past (shorter deadline than donor's at that time). This might lead to bandwidth accounting corruption, as enqueue_task_dl() won't recognize the lock holder as boosted.

The scenario occurs when:

  1. A DEADLINE task (donor) blocks on a PI mutex held by another

DEADLINE task (holder), but the holder doesn't inherit parameters (e.g., it already has a shorter deadline)

  1. sched_setscheduler() changes the holder from DEADLINE to a lower

class while still holding the mutex

  1. The holder should now inherit DEADLINE parameters from the donor

and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen

Fix the issue by introducing __setscheduler_dl_pi(), which detects when a DEADLINE (proper or boosted) task gets setscheduled to a lower priority class. In case, the function makes the task inherit DEADLINE parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to ensure proper bandwidth accounting during the next enqueue operation.

AnalysisAI

A Linux kernel scheduler vulnerability in SCHED_DEADLINE task handling causes bandwidth accounting corruption when a deadline task holding a priority-inheritance mutex is changed to a lower priority class via sched_setscheduler(). The vulnerability affects Linux kernel implementations (all versions with SCHED_DEADLINE support) and can be triggered by local unprivileged users running specific workloads like stress-ng, potentially leading to kernel warnings, task accounting underflow, and denial of service. No active exploitation in the wild is currently documented, but the vulnerability is fixed in stable kernel branches as evidenced by the provided commit references.

Technical ContextAI

This vulnerability exists in the Linux kernel's deadline scheduler (kernel/sched/deadline.c), which manages SCHED_DEADLINE tasks—a real-time scheduling class introduced in Linux 3.14 for tasks with hard temporal deadlines. The affected products are identified by CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* (all Linux kernel versions). The root cause involves improper handling of bandwidth accounting when a DEADLINE task (lock holder in a priority-inheritance mutex scenario) is demoted to a lower scheduling class without properly inheriting deadline parameters from the blocking DEADLINE donor task. The bug manifests in the task enqueue logic, where the ENQUEUE_REPLENISH flag should be set during the scheduler class transition to maintain running bandwidth (running_bw) consistency, but is omitted when the holder did not previously inherit the donor's parameters. This is fundamentally a state management and flag-synchronization defect in real-time scheduler operations.

RemediationAI

Apply the Linux kernel patch by updating to a stable kernel version that includes commits ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3 (the primary fix introducing __setscheduler_dl_pi() function) or later. Users should upgrade their kernel using standard distribution mechanisms (apt/yum/dnf for Debian/Red Hat-based systems, or by rebuilding from the Linux kernel source repository at https://git.kernel.org/stable/). For systems unable to upgrade immediately, restrict execution of stress-testing utilities and scheduler manipulation tools (stress-ng, custom sched_setscheduler callers) to trusted administrative users only, and avoid running mixed-priority real-time workloads on high-core-count systems until patched. The vulnerability is addressed directly by the fix and does not have meaningful workarounds, making prompt patching the primary mitigation.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy