Skip to main content

Linux Kernel EUVDEUVD-2026-32781

| CVE-2026-46154 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xcff-q6mv-v46w
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:57 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.0 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.0
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters

scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one

  • UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).

scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

AnalysisAI

Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.

Technical ContextAI

The vulnerability lives in the sched_ext (SCX) framework, the BPF-based pluggable scheduler introduced in recent Linux kernels, specifically in the cgroup integration helpers scx_group_set_weight(), scx_group_set_idle(), and scx_group_set_bandwidth(). These functions cached the global scx_root pointer before taking scx_cgroup_ops_rwsem; because scx_cgroup_enabled is only toggled under the write side of that rwsem during scx_cgroup_init/exit, a race window allowed a reader to observe scx_cgroup_enabled=true from a newly loaded scheduler while still holding a pointer to the previously freed scheduler object (released via RCU work). The subsequent SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...) macros then dereference freed memory - a classic use-after-free root cause (CWE-416 class), even though NVD lists CWE as N/A.

RemediationAI

Apply the vendor-released patch by upgrading to Linux 6.18.32, 7.0.7, or 7.1-rc2 (or a distribution kernel that backports commits 0f54f6355575, 80afd4c84bc8, and ce9aaa3af445 from git.kernel.org/stable). If immediate patching is not possible, the most effective compensating control is to disable sched_ext by rebuilding or booting a kernel without CONFIG_SCHED_CLASS_EXT, or by ensuring no BPF scheduler is loaded via scx_loader/sched_ext_ops (trade-off: loses pluggable scheduler functionality such as scx_rusty/scx_lavd, reverting to CFS/EEVDF). As an additional mitigation, restrict CAP_SYS_ADMIN and the ability to write cpu.weight/cpu.idle/cpu.max in delegated cgroup hierarchies to trusted workloads only, and avoid hot-swapping SCX schedulers on production hosts while cgroup updates may be in flight (trade-off: limits dynamic scheduler tuning workflows).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy