Skip to main content

Linux Kernel EUVDEUVD-2026-32385

| CVE-2026-45919 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r52x-qxpq-pv5m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AV:L and PR:L confirmed by RT scheduling requirement; AC:H because exploitation depends on uncontrollable concurrent multi-CPU scheduler timing, not purely attacker-driven conditions.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:42 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

sched/rt: Skip currently executing CPU in rto_next_cpu()

CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed).

However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts.

The trigging scenario is as follows:

cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <------------irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <-------------------------- atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func

Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios.

AnalysisAI

An infinite self-IPI loop in the Linux kernel's real-time scheduler rto_next_cpu() function causes a CPU hardlockup, resulting in a complete denial of service on affected multi-CPU systems. Systems with HAVE_RT_PUSH_IPI enabled are vulnerable when a specific concurrent mix of CPU-bound RT tasks, non-CPU-bound RT tasks, and kernel-stuck CFS tasks triggers a race condition between rd->rto_loop and rd->rto_loop_next during RT load balancing. No public exploit exists and this is not listed in CISA KEV; the EPSS score of 0.02% (7th percentile) confirms low real-world exploitation probability.

Technical ContextAI

The vulnerability resides in kernel/sched/rt.c within the Linux kernel's real-time (RT) task scheduler, specifically the rto_next_cpu() function used during SMP RT overload push operations. The root cause class is CWE-835 (Loop with Unreachable Exit Condition): when HAVE_RT_PUSH_IPI is enabled on SMP systems, remote CPUs call tell_cpu_to_push() which atomically increments rd->rto_loop_next. A mismatch between rd->rto_loop and rd->rto_loop_next - even after rd->rto_cpu is correctly set to -1 - causes rto_next_cpu() to restart its CPU search from -1. If the target CPU (CPU0 in the described scenario) remains in an overloaded RT state (satisfying rt_nr_migratory && rt_nr_total > 1), it is re-selected, queues irq_work to itself, and emits another self-IPI, creating a loop that the hardware watchdog eventually detects as a hard lockup. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched kernel version. Confirmed fixed releases per EUVD-2026-32385 are: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, and 7.0. Upstream stable fix commits are available at https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b, https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3, and related commits listed in the NVD references. As a compensating control prior to patching, restrict unprivileged access to real-time scheduling by setting RLIMIT_RTPRIO to 0 for non-privileged users via /etc/security/limits.conf - this prevents untrusted users from creating the RT task mix required to trigger the race, at the cost of disabling RT scheduling for those users. On custom kernel builds, disabling HAVE_RT_PUSH_IPI at compile time eliminates the IPI-based push path entirely, though this degrades RT load balancing efficiency on high-CPU-count SMP systems.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy