CVE-2026-45919 - Vulnerability Details

- sched/rt: Skip currently executing CPU in rto_next_cpu()

Description

In the Linux kernel, the following vulnerability has been resolved:

sched/rt: Skip currently executing CPU in rto_next_cpu()

CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound
RT task, and a CFS task stuck in kernel space. When other CPUs switch from
RT to non-RT tasks, RT load balancing (LB) is triggered; with
HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution
of rto_push_irq_work_func. During push_rt_task on CPU0,
if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED
and after the push operation completes, CPU0 calls rto_next_cpu().
Since only CPU0 is overloaded in this scenario, rto_next_cpu() should
ideally return -1 (no further IPI needed).

However, multiple CPUs invoking tell_cpu_to_push() during LB increments
rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between
rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its
search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory
&& rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to
itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and
other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop,
which triggers a CPU hardlockup due to continuous self-interrupts.

The trigging scenario is as follows:

cpu0 cpu1 cpu2
pull_rt_task
tell_cpu_to_push
<------------irq_work_queue_on
rto_push_irq_work_func
push_rt_task
resched_curr(rq) pull_rt_task
rto_next_cpu tell_cpu_to_push
<-------------------------- atomic_inc(rto_loop_next)
rd->rto_loop != next
rto_next_cpu
irq_work_queue_on
rto_push_irq_work_func

Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu().
This solution has been verified to effectively eliminate spurious self-IPIs
and prevent CPU hardlockup scenarios.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a flaw in the real‑time scheduler where a CPU that is already overloaded can be repeatedly selected for load‑balancing. The rto_next_cpu() routine fails to skip the currently executing CPU, causing it to re‑queue interrupt work to itself and send repeated self‑IPIs. As a result the core enters an infinite self‑IPI loop that locks the processor, effectively hard‑locking up the system and making services unavailable. This issue could allow a local attacker to force a denial of service by engineering the specific workload conditions described in the kernel patches.

Affected Systems

All supported Linux kernel releases that include the scheduling code affected by rto_next_cpu() are impacted. No specific kernel version ranges are listed; however any kernel prior to the backport that implements the fix is vulnerable.

Risk and Exploitability

The CVSS score is not provided in the current advisory, and EPSS is not available. The vulnerability is not listed in CISA’s KEV catalog, implying no confirmed public exploits are known. Nevertheless, the attack requires local authority or control over CPU‑bound real‑time and CFS tasks to recreate the scenario, which makes exploitation more difficult.Because the flaw leads directly to a processor hardlockup, its severity and impact on availability are high and the risk is significant if the vulnerable kernel is in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< d57d0746276a88ea43a2cc62b849fd8a95e32e41
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 3b3c672a66db3de3b40f8a7057864bc1f874ede3
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 16ca9f3117e9a294646c897daf08a5ab546c711b
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 8ad5577b2d4acfd83f03d97a0aece2d18aac5f07
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< a6a73403733e86748421f2eeaf028c85683ef896
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 52aeb1e07ec223caf212f036817976c98d2aa250
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 9f25edc5a20cb52a5abbf25f0724bb4732b81801
`4bdced5c9a2922521e325896a7bbbf0132c94e56`	affected	< 94894c9c477e53bcea052e075c53f89df3d2a33e
`cb1831a83e54cd3269a2420fce81c4fd8ae6f667`	affected	—
`1c37ff78298a6b6063649123356a312e1cce12ca`	affected	—
`f17c786b28a3060a566a170c2cf3bd7441fc30a3`	affected	—
`4.4.103`	affected	< 4.5
`4.9.66`	affected	< 4.10
`4.14.3`	affected	< 4.15

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4.4.103,4.5)`	affected	semver	—
`[4.9.66,4.10)`	affected	semver	—
`[4.14.3,4.15)`	affected	semver	—
`[4bdced5c9a2922521e325896a7bbbf0132c94e56,d57d0746276a88ea43a2cc62b849fd8a95e32e41)`	affected	code_commit	—
`[4bdced5c9a2922521e325896a7bbbf0132c94e56,3b3c672a66db3de3b40f8a7057864bc1f874ede3)`	affected	code_commit	—
`[4bdced... ,16ca9f3117e9a294646c897daf08a5ab546c711b)`	affected	code_commit	—
`[4bdced... ,8ad5577b2d4acfd83f03d97a0aece2d18aac5f07)`	affected	code_commit	—
`[4bdced... ,a6a73403733e86748421f2eeaf028c85683ef896)`	affected	code_commit	—
`[4bdced... ,52aeb1e07ec223caf212f036817976c98d2aa250)`	affected	code_commit	—
`[4bdced... ,9f25edc5a20cb52a5abbf25f0724bb4732b81801)`	affected	code_commit	—
`[4bdced... ,94894c9c477e53bcea052e075c53f89df3d2a33e)`	affected	code_commit	—
`cb1831a83e54cd3269a2420fce81c4fd8ae6f667`	affected	code_commit	—
`1c37ff78298a6b6063649123356a312e1cce12ca`	affected	code_commit	—
`f17c786b28a3060a566a170c2cf3bd7441fc30a3`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.15`	affected	semver	—
`[0,4.15)`	unaffected	semver	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a release that includes the patch for rto_next_cpu() which removes the self‑IPI loop.
Reboot the system after installing the new kernel to ensure the scheduler state is refreshed.
If an update cannot be applied immediately, avoid running prolonged CPU‑bound real‑time tasks alongside CFS tasks that can trigger the load‑balancing logic, reducing the chance of a lockup.

Generated by OpenCVE AI on May 27, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b
https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3
https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250
https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07
https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e
https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801
https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896
https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41

History

Wed, 27 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-605

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sched/rt: Skip currently executing CPU in rto_next_cpu() CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed). However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts. The trigging scenario is as follows: cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <------------irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <-------------------------- atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios.
Title		sched/rt: Skip currently executing CPU in rto_next_cpu()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3 https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250 https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07 https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801 https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896 https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:37.165Z

Updated: 2026-05-27T12:17:37.165Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45919

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.790

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45919

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:15:25Z

Weaknesses

CWE-605

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object