Skip to main content

Linux Kernel CVE-2026-43392

| EUVDEUVD-2026-28698 MEDIUM
2026-05-08 Linux GHSA-vww6-hvwf-mv33
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 12:41 vuln.today
CVSS changed
May 26, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix starvation of scx_enable() under fair-class saturation

During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread's sched_class from fair to ext. Since fair has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread, hanging the system. This was introduced when the enable path switched from preempt_disable() to scx_bypass() which doesn't protect against fair-class starvation. Note that the original preempt_disable() protection wasn't complete either - in partial switch modes, the calling thread could still be starved after preempt_enable() as it may have been switched to ext class.

Fix it by offloading the enable body to a dedicated system-wide RT (SCHED_FIFO) kthread which cannot be starved by either fair or ext class tasks. scx_enable() lazily creates the kthread on first use and passes the ops pointer through a struct scx_enable_cmd containing the kthread_work, then synchronously waits for completion.

The workfn runs on a different kthread from sch->helper (which runs disable_work), so it can safely flush disable_work on the error path without deadlock.

AnalysisAI

System-hang denial-of-service in the Linux kernel's sched_ext (SCX) extensible scheduler subsystem allows a local low-privileged attacker to indefinitely starve the scx_enable() thread by saturating fair-class workloads, causing the system to hang. Affected are kernel versions containing the SCX subsystem from the introduction commit 8c2090c504e998c8f34ec870bae71dafcc96a6e0 through multiple stable branches including 6.12.x before 6.12.78 and 6.18.x/6.19.x series. EPSS exploitation probability is 0.02% (5th percentile) with no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The sched_ext (SCX) subsystem, introduced in recent Linux kernels, enables BPF-programmable CPU schedulers. The affected code path is scx_enable(), which orchestrates the READY-to-ENABLED state transition by switching the calling thread's scheduling class from CFS (Completely Fair Scheduler, fair class) to the ext class. Linux's scheduler priority ordering places fair above ext, creating an inherent starvation risk: any workload running under CFS that saturates CPU time can prevent the enable thread - now running as ext class - from being scheduled, hanging the enable operation indefinitely. The original protection using preempt_disable() was replaced by scx_bypass(), which does not guard against fair-class preemption. The CWE classification is not formally assigned, but the root cause maps to a race condition or scheduling priority inversion (analogous to CWE-362 or CWE-400). The fix offloads the enable body to a dedicated SCHED_FIFO RT kthread, which by definition cannot be preempted by fair or ext class tasks, and uses a scx_enable_cmd struct with kthread_work for synchronous completion. CPE data (cpe:2.3:a:linux:linux:*) confirms the Linux kernel as the sole affected product.

RemediationAI

The vendor-released patch is available across multiple stable branches: upgrade to Linux kernel 6.12.78 or later for 6.12.x users, 6.18.20 or later for 6.18.x users, 6.19.9 or later for 6.19.x users, or the 7.0 mainline. Fix commits are published at https://git.kernel.org/stable/c/e0b14bf06393be137d3efb6a3b7cd5b4b9810a6b (6.19.x), https://git.kernel.org/stable/c/c44198f25fdfecc0ec0fe366bf8a47fe17d8e229 (6.12.x), https://git.kernel.org/stable/c/05ab9ec5dc24f234e0a2fecf3e6ff937c68f7d81 (6.18.x), and https://git.kernel.org/stable/c/b06ccbabe2506fd70b9167a644978b049150224a (mainline). If patching is not immediately feasible and SCX is not required, disabling the sched_ext subsystem by not loading any SCX BPF scheduler will prevent scx_enable() from being invoked, eliminating the vulnerable code path with no functional trade-off on non-SCX workloads. Restricting local user access on systems where SCX is actively deployed limits the attacker's ability to artificially saturate the CPU. Distribution-specific advisories from Red Hat and SUSE should be monitored for backport availability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy