Skip to main content

Linux Kernel EUVDEUVD-2026-26546

| CVE-2026-31733 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:15 vuln.today
CVSS changed
May 07, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26546
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix stale direct dispatch state in ddsp_dsq_id

@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a spurious warning in mark_direct_dispatch() when the next wakeup's ops.select_cpu() calls scx_bpf_dsq_insert(), such as:

WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140

The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict.

Fix it by clearing it at the right places:

  • direct_dispatch(): cache the direct dispatch state in local variables

and clear it before dispatch_enqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until process_ddsp_deferred_locals() consumes them.

  • process_ddsp_deferred_locals(): cache the dispatch state in local

variables and clear it before calling dispatch_to_local_dsq(), which may migrate the task to another rq.

  • do_enqueue_task(): clear the dispatch state on the enqueue path

(local/global/bypass fallbacks), where the direct dispatch verdict is ignored.

  • dequeue_task_scx(): clear the dispatch state after dispatch_dequeue()

to handle both the deferred dispatch cancellation and the holding_cpu race, covering all cases where a pending direct dispatch is cancelled.

  • scx_disable_task(): clear the direct dispatch state when

transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.select_cpu() and then been queued on a wake_list via ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such tasks are not on the runqueue and are not iterated by scx_bypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARN_ON_ONCE() in mark_direct_dispatch().

AnalysisAI

A denial of service condition in the Linux kernel scheduler extension (sched_ext) subsystem allows local authenticated attackers to trigger a kernel warning and potential crash via improper handling of stale direct dispatch state in the ddsp_dsq_id field. When a task's direct dispatch verdict is not properly cleared across all code paths that consume or cancel such verdicts, a subsequent wakeup operation calling ops.select_cpu() with scx_bpf_dsq_insert() triggers a spurious WARN_ON_ONCE() in mark_direct_dispatch(), exposing the availability impact of the vulnerability. The issue affects Linux kernels with sched_ext enabled and requires local access with low privilege (non-root user capable of triggering task scheduling operations).

Technical ContextAI

The sched_ext subsystem is an in-kernel extensibility framework for CPU scheduling policies, allowing custom scheduling disciplines via eBPF programs. The vulnerability exists in the direct dispatch mechanism, which caches a task's target dispatch queue ID in the per-task structure field @p->scx.ddsp_dsq_id. This field indicates a task should be dispatched directly to a specific queue rather than through the normal scheduling path. The root cause is incomplete clearing of this cached state: the field was only cleared in dispatch_enqueue(), but multiple code paths (deferred dispatch handling, task enqueueing with fallbacks, task dequeuing, and scheduler transitions) can consume or invalidate a direct dispatch verdict without reaching that clearing point. When ddsp_dsq_id remains set to a non-SCX_DSQ_INVALID value across these paths, subsequent wakeups that trigger ops.select_cpu() and call scx_bpf_dsq_insert() encounter mark_direct_dispatch() which validates that no direct dispatch is already pending-finding the stale value causes the warning.

RemediationAI

Apply the vendor-released patch from the Linux kernel stable branches: commit ca685511f7afd42cdcbb0feea42e5d332d384251 (6.12 series), 7e0ffb72de8aa3b25989c2d980e81b829c577010 (6.19 series), 5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5 (6.18 series), or 7ea601daa0153e19cd1c6e6b300348c70c05fe77 (7.0 series) depending on your kernel version, available at https://git.kernel.org/stable/. Users unable to patch immediately can disable sched_ext-based custom schedulers (CONFIG_SCHED_EXT=n at compile time or by avoiding loading custom eBPF scheduling programs) to prevent triggering the vulnerability, though this removes the ability to use advanced scheduling policies. For systems requiring sched_ext, apply the targeted fix which clears ddsp_dsq_id state at five specific locations: in direct_dispatch() before synchronous dispatch, in process_ddsp_deferred_locals() before calling dispatch_to_local_dsq(), in do_enqueue_task() on fallback paths, in dequeue_task_scx() after dispatch_dequeue(), and in scx_disable_task() during scheduler transitions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy