CVE-2026-31734 - Vulnerability Details

- sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for
trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()
only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().
Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,
so migration_disabled == 1 always means the task is truly
migration-disabled regardless of whether it is the current task.

The old unconditional p == current check was a false negative in this
case, potentially allowing a migration-disabled task to be dispatched to
a remote CPU and triggering scx_error in task_can_run_on_remote_rq().

Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is
enabled, where the ambiguity with the BPF prolog still exists.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel a logic error in is_bpf_migration_disabled() may incorrectly report that a task is not migration‑disabled when CONFIG_PREEMPT_RCU is not enabled. Because the BPF prolog only calls migrate_disable() under this configuration, the function may allow a truly migration‑disabled task to be scheduled on a remote CPU. That dispatch can trigger an scx_error inside task_can_run_on_remote_rq(), which might result in a kernel panic. The flaw is classified as CWE‑372.

Affected Systems

Any Linux kernel build that includes BPF support and does not contain the patch commit 8e4f0b1ebcf2 is affected. This includes all architectures that ship the unpatched kernel, regardless of the CONFIG_PREEMPT_RCU setting, as long as BPF programs can be loaded.

Risk and Exploitability

The likely attack vector involves the ability to load or run BPF programs, which usually requires elevated privileges such as CAP_SYS_ADMIN or CAP_BPF; however the CVE description does not explicitly enumerate the required privileges. No public exploit is known, EPSS is not available, and the issue is not listed in the CISA KEV catalog. Because the defect could lead to a kernel crash when triggered, the potential impact remains high. The absence of a CVSS score prevents precise quantification of severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8e4f0b1ebcf2180ab594f204f01279a666dadf3b`	affected	< 72c43eb2e334febe93018cfb68ae828f55c6e49e
`8e4f0b1ebcf2180ab594f204f01279a666dadf3b`	affected	< b4992a9446bb9a639007bfd32bf5c5a7e30199e5
`8e4f0b1ebcf2180ab594f204f01279a666dadf3b`	affected	< 0c4a59df370bea245695c00aaae6ae75747139bd

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8e4f0b1ebcf2180ab594f204f01279a666dadf3b,72c43eb2e334febe93018cfb68ae828f55c6e49e)`	affected	code_commit	—
`[8e4f0b1ebcf2180ab594f204f01279a666dadf3b,b4992a9446bb9a639007bfd32bf5c5a7e30199e5)`	affected	code_commit	—
`[8e4f0b1ebcf2180ab594f204f01279a666dadf3b,0c4a59df370bea245695c00aaae6ae75747139bd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes commit 8e4f0b1ebcf2, which eliminates the false negative in is_bpf_migration_disabled().
If an immediate kernel upgrade is not feasible, disable BPF support or prevent the loading of BPF programs until the kernel is patched.
Ensure that CONFIG_PREEMPT_RCU is enabled when BPF functionality is required; this configuration path avoids the ambiguous behavior in the current implementation.

Generated by OpenCVE AI on May 2, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c4a59df370bea245695c00aaae6ae75747139bd
https://git.kernel.org/stable/c/72c43eb2e334febe93018cfb68ae828f55c6e49e
https://git.kernel.org/stable/c/b4992a9446bb9a639007bfd32bf5c5a7e30199e5
https://lore.kernel.org/linux-cve-announce/2026050137-CVE-2026-31734-da05@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31734
https://www.cve.org/CVERecord?id=CVE-2026-31734

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-372
References		https://lore.kernel.org/linux-cve-announce/2026050137-CVE-2026-31734-da05@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31734 https://www.cve.org/CVERecord?id=CVE-2026-31734

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable() only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate(). Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled, so migration_disabled == 1 always means the task is truly migration-disabled regardless of whether it is the current task. The old unconditional p == current check was a false negative in this case, potentially allowing a migration-disabled task to be dispatched to a remote CPU and triggering scx_error in task_can_run_on_remote_rq(). Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is enabled, where the ambiguity with the BPF prolog still exists.
Title		sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c4a59df370bea245695c00aaae6ae75747139bd https://git.kernel.org/stable/c/72c43eb2e334febe93018cfb68ae828f55c6e49e https://git.kernel.org/stable/c/b4992a9446bb9a639007bfd32bf5c5a7e30199e5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:32.217Z

Updated: 2026-05-01T14:14:32.217Z

Reserved: 2026-03-09T15:48:24.137Z

Link: CVE-2026-31734

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:36.030

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31734

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31734 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses

CWE-372

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object