Skip to main content

Linux Kernel EUVDEUVD-2026-26547

| CVE-2026-31734 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:15 vuln.today
CVSS changed
May 07, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26547
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable() only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate(). Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled, so migration_disabled == 1 always means the task is truly migration-disabled regardless of whether it is the current task.

The old unconditional p == current check was a false negative in this case, potentially allowing a migration-disabled task to be dispatched to a remote CPU and triggering scx_error in task_can_run_on_remote_rq().

Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is enabled, where the ambiguity with the BPF prolog still exists.

AnalysisAI

Denial of service in Linux kernel scheduler extension (sched_ext) allows local privileged attackers to crash systems by triggering incorrect task migration validation. The vulnerability exists in the is_bpf_migration_disabled() function, which fails to correctly identify migration-disabled tasks on non-PREEMPT_RCU configurations, potentially dispatching such tasks to remote CPUs and triggering kernel errors in task_can_run_on_remote_rq(). EPSS exploitation probability is very low at 0.02%, but CVSS 5.5 indicates local attackers with standard user privileges can cause denial of service.

Technical ContextAI

The Linux kernel's scheduler extension (sched_ext) BPF subsystem uses rcu_read_lock_dont_migrate() to call migrate_disable() in the BPF prolog (__bpf_prog_enter), but only when CONFIG_PREEMPT_RCU is enabled. On non-PREEMPT_RCU systems, migration_disabled is never set by the BPF layer. The is_bpf_migration_disabled() function previously used an unconditional check 'p current' to disambiguate whether migration_disabled 1 meant true migration disablement or just BPF prolog execution. This check fails on non-PREEMPT_RCU systems where the BPF prolog never touches migration_disabled, causing the function to return false negatives - incorrectly reporting that migration-disabled tasks are not actually disabled. This allows the scheduler to incorrectly dispatch migration-disabled tasks to remote CPUs, violating scheduling constraints and triggering scx_error in task_can_run_on_remote_rq().

RemediationAI

Apply vendor-released patch: upgrade to Linux kernel 6.18.22, 6.19.12, 7.0, or later versions containing commits 0c4a59df370bea245695c00aaae6ae75747139bd, 72c43eb2e334febe93018cfb68ae828f55c6e49e, or b4992a9446bb9a639007bfd32bf5c5a7e30199e5 (available at https://git.kernel.org/stable/c/). The fix conditionally applies the p == current check only when CONFIG_PREEMPT_RCU is enabled, eliminating false negatives on non-PREEMPT_RCU systems. If immediate patching is not feasible, disable sched_ext scheduling policy in systems not relying on it, or enable CONFIG_PREEMPT_RCU during kernel compilation if feasible - this mitigates the configuration-specific vector but may have performance trade-offs on non-realtime systems. Monitor kernel logs for scx_error messages indicating migration validation failures.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy