CVE-2026-31733 - Vulnerability Details

- sched_ext: Fix stale direct dispatch state in ddsp_dsq_id

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix stale direct dispatch state in ddsp_dsq_id

@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a
spurious warning in mark_direct_dispatch() when the next wakeup's
ops.select_cpu() calls scx_bpf_dsq_insert(), such as:

WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140

The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(),
which is not reached in all paths that consume or cancel a direct dispatch
verdict.

Fix it by clearing it at the right places:

- direct_dispatch(): cache the direct dispatch state in local variables
and clear it before dispatch_enqueue() on the synchronous path. For
the deferred path, the direct dispatch state must remain set until
process_ddsp_deferred_locals() consumes them.

- process_ddsp_deferred_locals(): cache the dispatch state in local
variables and clear it before calling dispatch_to_local_dsq(), which
may migrate the task to another rq.

- do_enqueue_task(): clear the dispatch state on the enqueue path
(local/global/bypass fallbacks), where the direct dispatch verdict is
ignored.

- dequeue_task_scx(): clear the dispatch state after dispatch_dequeue()
to handle both the deferred dispatch cancellation and the holding_cpu
race, covering all cases where a pending direct dispatch is
cancelled.

- scx_disable_task(): clear the direct dispatch state when
transitioning a task out of the current scheduler. Waking tasks may
have had the direct dispatch state set by the outgoing scheduler's
ops.select_cpu() and then been queued on a wake_list via
ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such
tasks are not on the runqueue and are not iterated by scx_bypass(),
so their direct dispatch state won't be cleared. Without this clear,
any subsequent SCX scheduler that tries to direct dispatch the task
will trigger the WARN_ON_ONCE() in mark_direct_dispatch().

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in the Linux kernel’s sched_ext module, where a stale direct dispatch state can persist after task enqueue, dequeue, or cancellation. When this state remains set, a subsequent wake‑up invokes scx_bpf_dsq_insert, causing a WARN_ON_ONCE in mark_direct_dispatch. The warning indicates improper internal state tracking but does not directly lead to a crash, data loss, or privilege escalation.

Affected Systems

All Linux kernel builds that lack the recent commit which clears the ddsp_dsq_id flag in all dispatch paths are affected. This includes any distribution or custom kernel that has not integrated the scheduler patch addressing this state clearing bug.

Risk and Exploitability

The CVSS base score is not provided and the EPSS is unavailable, implying the likelihood of active exploitation is uncertain and likely low. The vulnerability is not listed in CISA’s KEV catalog. The primary risk is the recurrence of kernel warnings and potential degradation of scheduler reliability, but it does not appear to expose configuration data, modify privileged code paths, or enable remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9`	affected	< ca685511f7afd42cdcbb0feea42e5d332d384251
`5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9`	affected	< 5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5
`5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9`	affected	< 7ea601daa0153e19cd1c6e6b300348c70c05fe77
`5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9`	affected	< 7e0ffb72de8aa3b25989c2d980e81b829c577010

Linux

affected

Version	Status	Constraints
`6.12`	affected	—
`0`	unaffected	< 6.12
`6.12.82`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9,ca685511f7afd42cdcbb0feea42e5d332d384251)`	affected	code_commit	—
`[5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9,5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5)`	affected	code_commit	—
`[5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9,7ea601daa0153e19cd1c6e6b300348c70c05fe77)`	affected	code_commit	—
`[5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9,7e0ffb72de8aa3b25989c2d980e81b829c577010)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.12`	affected	generic	—
`[0,6.12)`	unaffected	generic	—
`[6.12.82,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the scheduler patch that clears ddsp_dsq_id in all dispatch paths
Recompile the kernel with the patch applied if the system uses a custom kernel build
If the system cannot be upgraded immediately, monitor kernel logs for WARN_ON_ONCE messages related to sched_ext and schedule a maintenance window for an upgrade

Generated by OpenCVE AI on May 2, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5
https://git.kernel.org/stable/c/7e0ffb72de8aa3b25989c2d980e81b829c577010
https://git.kernel.org/stable/c/7ea601daa0153e19cd1c6e6b300348c70c05fe77
https://git.kernel.org/stable/c/ca685511f7afd42cdcbb0feea42e5d332d384251
https://lore.kernel.org/linux-cve-announce/2026050137-CVE-2026-31733-aaa2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31733
https://www.cve.org/CVERecord?id=CVE-2026-31733

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050137-CVE-2026-31733-aaa2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31733 https://www.cve.org/CVERecord?id=CVE-2026-31733

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix stale direct dispatch state in ddsp_dsq_id @p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a spurious warning in mark_direct_dispatch() when the next wakeup's ops.select_cpu() calls scx_bpf_dsq_insert(), such as: WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140 The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict. Fix it by clearing it at the right places: - direct_dispatch(): cache the direct dispatch state in local variables and clear it before dispatch_enqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until process_ddsp_deferred_locals() consumes them. - process_ddsp_deferred_locals(): cache the dispatch state in local variables and clear it before calling dispatch_to_local_dsq(), which may migrate the task to another rq. - do_enqueue_task(): clear the dispatch state on the enqueue path (local/global/bypass fallbacks), where the direct dispatch verdict is ignored. - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue() to handle both the deferred dispatch cancellation and the holding_cpu race, covering all cases where a pending direct dispatch is cancelled. - scx_disable_task(): clear the direct dispatch state when transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.select_cpu() and then been queued on a wake_list via ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such tasks are not on the runqueue and are not iterated by scx_bypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARN_ON_ONCE() in mark_direct_dispatch().
Title		sched_ext: Fix stale direct dispatch state in ddsp_dsq_id
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5 https://git.kernel.org/stable/c/7e0ffb72de8aa3b25989c2d980e81b829c577010 https://git.kernel.org/stable/c/7ea601daa0153e19cd1c6e6b300348c70c05fe77 https://git.kernel.org/stable/c/ca685511f7afd42cdcbb0feea42e5d332d384251

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:31.558Z

Updated: 2026-05-01T14:14:31.558Z

Reserved: 2026-03-09T15:48:24.137Z

Link: CVE-2026-31733

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.913

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31733

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31733 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-772

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object