Description
In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters

scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring
scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs.
If the loaded scheduler is disabled and freed (via RCU work) and another is
enabled between the naked load and the rwsem acquire, the reader sees
scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one
- UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).

scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write
(scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section
correlates @sch with the enabled snapshot.
Published: 2026-05-28
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates when the scheduler extension caches a pointer to the scheduler configuration (scx_root) before it acquires the protecting lock scx_cgroup_ops_rwsem. If a scheduler is torn down via RCU work while another scheduler is enabled in the interim, the cached pointer becomes stale. A subsequent dereference of this freed object triggers a use‑after‑free, which can result in a kernel crash or, with sufficient privileges, arbitrary code execution at kernel level. The flaw is a classic double‑free/invalid‑memory‑use scenario identified by CWE‑416 and a race condition indicated by CWE‑825.

Affected Systems

Any Linux kernel that includes the sched_ext scheduler extension and exposes the cgroup setter functions (scx_group_set_weight, scx_group_set_idle, scx_group_set_bandwidth) is potentially affected. Version information is not supplied, implying the issue may exist in all kernels containing this code path, regardless of distribution or kernel release. No vendor‑specific packaging details are available.

Risk and Exploitability

The CVSS score of 7.0 classifies the flaw as high severity, yet the EPSS score of <1% suggests that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploits. An attacker would need the ability to influence scheduler enable/disable operations, which typically requires privileged or kernel‑module execution rights. Consequently, while the theoretical risk to confidentiality, integrity, and availability is significant, the practical exploitation probability remains low without elevated privileges.

Generated by OpenCVE AI on June 9, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that incorporates the commits referenced in the advisory (e.g., 0f54f63555759717, 80afd4c84bc8f5e80, or ce9aaa3af445c39) to eliminate the stale pointer dereference.
  • If an update cannot be applied immediately, lock the scx_cgroup_ops_rwsem write operations by disabling dynamic scheduler configuration changes or using kernel configuration options that prevent runtime enabling/disabling of the scheduler extension.
  • Restrict access to cgroup configuration interfaces to users with administrative privileges and use SELinux or AppArmor policies to enforce that only trusted processes can modify cgroup scheduler settings.
  • Ensure that only signed and verified kernel modules are loaded, and enforce strict kernel module signing policies to reduce the likelihood that malicious code can trigger the flaw via a module.

Generated by OpenCVE AI on June 9, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Sat, 30 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 28 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.
Title sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:58:34.741Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46154

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:31.040

Modified: 2026-06-09T20:59:21.680

Link: CVE-2026-46154

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46154 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses