Skip to main content

Linux Kernel EUVDEUVD-2026-28607

| CVE-2026-43323 MEDIUM
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-549j-xvh5-g4r6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 20:30 vuln.today
CVSS changed
May 15, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix zero_vruntime tracking fix

John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f43c72b ("sched/fair: Fix zero_vruntime tracking").

The combination of yield and that commit was specific enough to hypothesize the following scenario:

Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities.

Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule.

Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime.

All that moves zero_vruntime are tick and full {de,en}queue.

This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick's worth of time, we're up a creek.

Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time -- however unlikely.

Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key().

AnalysisAI

Local denial of service in Linux kernel scheduler (6.12.78-6.19.12) allows low-privileged users to trigger system-wide instability via stress-ng-yield workloads. The flaw stems from incomplete vruntime tracking in commit b3d99f43c72b, where yield()-heavy tasks can leapfrog past tick updates and cause overflow conditions. EPSS exploitation probability is negligible (0.02%, 5th percentile), and vendor patches are available across all affected stable branches. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the Completely Fair Scheduler (CFS) in the Linux kernel, specifically the zero_vruntime tracking mechanism introduced in commit b3d99f43c72b. Virtual runtime (vruntime) is the core metric CFS uses to determine task eligibility and scheduling order. The flaw occurs because __enqueue_entity() and __dequeue_entity() operations during put_prev_task() and set_next_task() no longer update zero_vruntime positions. When two runnable tasks execute rapid yield() calls, they can alternate eligibility states without triggering full enqueue/dequeue cycles or tick interrupts. In multi-cgroup environments, statistical tick delivery delays compound the issue, allowing vruntime values to drift beyond 2 lag bounds and trigger arithmetic overflow in entity_key() calculations. The CPE data confirms impact across stable kernel series 6.12.78-6.12.81, 6.18.17-6.18.22, and 6.19.7-6.19.12, plus specific development commits between 99673934a89f and 1319ea57529e.

RemediationAI

Update to Linux kernel 6.12.81 or later for the 6.12 series, 6.18.22 or later for the 6.18 series, or 6.19.12 or later for the 6.19 series. The fix is implemented in upstream commits 1319ea57529e131822bab56bf417c8edc2db9ae8 (mainline), 87573883c30f1a8555ff720836bb6ea231058539, c089147074ed96ff4330739a0559394c19a3dfc8, and fb61ffb3fb30a161eb5404c27fc7635e275beafd for respective stable branches, available at https://git.kernel.org/stable/. Distribution-specific updates are available through standard package management channels. As an interim workaround if patching is delayed, system administrators can implement cgroup CPU quotas to limit scheduler stress from yield-heavy workloads, though this may degrade performance for legitimate applications. Disabling untrusted user access to systems running affected kernels provides defense in depth but is impractical for most multi-user environments. No kernel boot parameters mitigate this issue. Monitoring for sustained high context switch rates combined with low CPU utilization may indicate exploitation attempts, though false positives from legitimate workloads are likely.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy