Description
In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for
trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()
only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().
Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,
so migration_disabled == 1 always means the task is truly
migration-disabled regardless of whether it is the current task.

The old unconditional p == current check was a false negative in this
case, potentially allowing a migration-disabled task to be dispatched to
a remote CPU and triggering scx_error in task_can_run_on_remote_rq().

Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is
enabled, where the ambiguity with the BPF prolog still exists.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel a logic error in is_bpf_migration_disabled() may incorrectly report that a task is not migration‑disabled when CONFIG_PREEMPT_RCU is not enabled. Because the BPF prolog only calls migrate_disable() under this configuration, the function may allow a truly migration‑disabled task to be scheduled on a remote CPU. That dispatch can trigger an scx_error inside task_can_run_on_remote_rq(), which might result in a kernel panic. The flaw is classified as CWE‑372.

Affected Systems

Any Linux kernel build that includes BPF support and does not contain the patch commit 8e4f0b1ebcf2 is affected. This includes all architectures that ship the unpatched kernel, regardless of the CONFIG_PREEMPT_RCU setting, as long as BPF programs can be loaded.

Risk and Exploitability

The likely attack vector involves the ability to load or run BPF programs, which normally requires elevated privileges such as CAP_SYS_ADMIN or CAP_BPF; the CVE description does not explicitly enumerate the required privileges. No public exploit is known. The EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. The CVSS score of 5.5 classifies the flaw as medium severity, reflecting a moderate risk of causing a kernel panic through placement of a migration‑disabled task on a remote CPU.

Generated by OpenCVE AI on May 7, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit 8e4f0b1ebcf2, which eliminates the false negative in is_bpf_migration_disabled().
  • If an immediate kernel upgrade is not feasible, disable BPF support or prevent the loading of BPF programs until the kernel is patched.
  • Ensure that CONFIG_PREEMPT_RCU is enabled when BPF functionality is required; this configuration path avoids the ambiguous behavior in the current implementation.

Generated by OpenCVE AI on May 7, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-372
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable() only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate(). Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled, so migration_disabled == 1 always means the task is truly migration-disabled regardless of whether it is the current task. The old unconditional p == current check was a false negative in this case, potentially allowing a migration-disabled task to be dispatched to a remote CPU and triggering scx_error in task_can_run_on_remote_rq(). Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is enabled, where the ambiguity with the BPF prolog still exists.
Title sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:43.725Z

Reserved: 2026-03-09T15:48:24.137Z

Link: CVE-2026-31734

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:36.030

Modified: 2026-05-07T16:50:47.197

Link: CVE-2026-31734

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31734 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:30:25Z

Weaknesses