Skip to main content

Linux Kernel CVE-2026-43482

| EUVDEUVD-2026-30018 MEDIUM
2026-05-13 Linux GHSA-rgq2-6gcj-qprf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires OS preemption at a specific narrow window beyond attacker control, justifying AC:H; local low-privilege access suffices; availability impact only.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 22:32 vuln.today
CVSS changed
Jun 26, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
MEDIUM 5.5
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Disable preemption between scx_claim_exit() and kicking helper work

scx_claim_exit() atomically sets exit_kind, which prevents scx_error() from triggering further error handling. After claiming exit, the caller must kick the helper kthread work which initiates bypass mode and teardown.

If the calling task gets preempted between claiming exit and kicking the helper work, and the BPF scheduler fails to schedule it back (since error handling is now disabled), the helper work is never queued, bypass mode never activates, tasks stop being dispatched, and the system wedges.

Disable preemption across scx_claim_exit() and the subsequent work kicking in all callers - scx_disable() and scx_vexit(). Add lockdep_assert_preemption_disabled() to scx_claim_exit() to enforce the requirement.

AnalysisAI

A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.

Technical ContextAI

The sched_ext subsystem (introduced in Linux 6.12) allows BPF programs to implement fully custom CPU schedulers in the kernel. The flaw is in the teardown/error-handling path: scx_claim_exit() atomically sets the exit_kind flag to prevent duplicate error invocations from scx_error(), but this creates a logical atomicity requirement with the immediately following kthread kick that initiates bypass mode. Without preemption disabled across these two operations, a task switch at the boundary leaves the kernel in an irrecoverable state. The root cause class is a missing critical section - a synchronization primitive omission - around two operations that must execute without interruption. Affected CPE is cpe:2.3:a:linux:linux, covering kernel versions from commit f0e1a0643a59bf1f922fa209cec86a170b784f3f up to the respective stable-branch fix commits. The CWE is not formally assigned but maps closely to CWE-362 (Race Condition) combined with CWE-667 (Improper Locking).

RemediationAI

Upgrade to a patched Linux kernel: 6.12.78 for 6.12.x LTS users, 6.18.20 for 6.18.x users, 6.19.9 for 6.19.x users, or any 7.0 build incorporating the fix, as confirmed by EUVD-2026-30018. The upstream fix disables preemption across scx_claim_exit() and the subsequent work-kicking calls in both scx_disable() and scx_vexit(), and adds lockdep_assert_preemption_disabled() to enforce the invariant at runtime. Patch commits are available via the four git.kernel.org stable-tree links listed above. If immediate kernel upgrade is not feasible, the most effective compensating control is to avoid loading any custom sched_ext BPF scheduler programs, since the vulnerability requires sched_ext to be actively in use; this trade-off eliminates the attack surface at the cost of any BPF scheduling customizations. There is no known runtime configuration toggle to patch the race without a kernel update.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-43482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy