CVE-2026-46154 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters

scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring
scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs.
If the loaded scheduler is disabled and freed (via RCU work) and another is
enabled between the naked load and the rwsem acquire, the reader sees
scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one
- UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).

scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write
(scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section
correlates @sch with the enabled snapshot.

Published: 2026-05-28

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when the scheduler extension caches the scx_root pointer before acquiring the scx_cgroup_ops_rwsem lock. If the scheduler is disabled and freed by RCU work, and a new scheduler is enabled before the lock is acquired, the stale pointer can be dereferenced, leading to a use‑after‑free. An attacker with sufficient privileges could trigger this scenario to crash the kernel or potentially execute arbitrary code at kernel privilege level.

Affected Systems

All Linux installations that include the sched_ext scheduler extension and use scx_root in cgroup setter functions are potentially affected. No specific kernel version is listed, indicating the flaw applies to any kernel containing this code path.

Risk and Exploitability

The CVSS score is not published and EPSS is not available, but a use‑after‑free in kernel space represents a high‑severity flaw. The attack vector would require an attacker to influence scheduler enable/disable operations, typically through privileged code or kernel modules. The vulnerability is listed as not in CISA KEV, yet the potential impact warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a5bd6ba30b3364354269b81ac55c2edca9a96d6d`	affected	< ce9aaa3af445c391735c9d000c4db60dfd5640d4
`a5bd6ba30b3364354269b81ac55c2edca9a96d6d`	affected	< 0f54f6355575971673d8aac7da107ec4178e45bd
`a5bd6ba30b3364354269b81ac55c2edca9a96d6d`	affected	< 80afd4c84bc8f5e80145ce35279f5ce53f6043db

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.32`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc2`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update containing the patch commit 0f54f63555759717, 80afd4c84bc8f5e80, or ce9aaa3af445c39 that fixes the UAF condition.
If an update cannot be applied immediately, disable dynamic enabling/disabling of cgroup schedulers by locking scheduler state or configuring the system to use a static scheduler configuration.
Ensure that only signed kernel modules are loaded and restrict user access to cgroup configuration interfaces to reduce the chance of an attacker triggering the flaw.

Generated by OpenCVE AI on May 28, 2026 at 11:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f54f6355575971673d8aac7da107ec4178e45bd
https://git.kernel.org/stable/c/80afd4c84bc8f5e80145ce35279f5ce53f6043db
https://git.kernel.org/stable/c/ce9aaa3af445c391735c9d000c4db60dfd5640d4

History

Thu, 28 May 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.
Title		sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f54f6355575971673d8aac7da107ec4178e45bd https://git.kernel.org/stable/c/80afd4c84bc8f5e80145ce35279f5ce53f6043db https://git.kernel.org/stable/c/ce9aaa3af445c391735c9d000c4db60dfd5640d4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:10.310Z

Updated: 2026-05-28T09:36:10.310Z

Reserved: 2026-05-13T15:03:33.102Z

Link: CVE-2026-46154

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:31.040

Modified: 2026-05-28T10:16:31.040

Link: CVE-2026-46154

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T11:45:16Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object