Description
In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Clear rel_deadline when initializing forked entities

A yield-triggered crash can happen when a newly forked sched_entity
enters the fair class with se->rel_deadline unexpectedly set.

The failing sequence is:

1. A task is forked while se->rel_deadline is still set.
2. __sched_fork() initializes vruntime, vlag and other sched_entity
state, but does not clear rel_deadline.
3. On the first enqueue, enqueue_entity() calls place_entity().
4. Because se->rel_deadline is set, place_entity() treats se->deadline
as a relative deadline and converts it to an absolute deadline by
adding the current vruntime.
5. However, the forked entity's deadline is not a valid inherited
relative deadline for this new scheduling instance, so the conversion
produces an abnormally large deadline.
6. If the task later calls sched_yield(), yield_task_fair() advances
se->vruntime to se->deadline.
7. The inflated vruntime is then used by the following enqueue path,
where the vruntime-derived key can overflow when multiplied by the
entity weight.
8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility
calculation, and can eventually make all entities appear ineligible.
pick_next_entity() may then return NULL unexpectedly, leading to a
later NULL dereference.

A captured trace shows the effect clearly. Before yield, the entity's
vruntime was around:

9834017729983308

After yield_task_fair() executed:

se->vruntime = se->deadline

the vruntime jumped to:

19668035460670230

and the deadline was later advanced further to:

19668035463470230

This shows that the deadline had already become abnormally large before
yield_task_fair() copied it into vruntime.

rel_deadline is only meaningful when se->deadline really carries a
relative deadline that still needs to be placed against vruntime. A
freshly forked sched_entity should not inherit or retain this state.
Clear se->rel_deadline in __sched_fork(), together with the other
sched_entity runtime state, so that the first enqueue does not interpret
the new entity's deadline as a stale relative deadline.
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability resides in the Linux kernel’s fair scheduler. During a fork, the scheduler fails to clear the rel_deadline field of the new sched_entity, causing a stale relative deadline to be treated as an absolute deadline during the first enqueue. The resulting deadline value is far beyond the valid range, and when the fork yields, the scheduler advances its virtual runtime to this inflated deadline. This overflow corrupts scheduler bookkeeping structures, ultimately causing pick_next_entity() to return NULL a NULL pointer, which triggers a kernel panic. The primary impact is a local denial of service because a kernel crash renders the host unusable. The flaw is an Integer Overflow (CWE-190) that allows the scheduler to miscalculate deadlines and overflow scheduler state.

Affected Systems

All Linux kernel installations that have not applied the rel_deadline clearing fix, regardless of distribution or version, are potentially vulnerable. The specific kernel versions affected are not listed, so any running kernel prior to the patch is considered at risk.

Risk and Exploitability

The exploit is local; an attacker who can execute user‑level code can create a forked process that later calls sched_yield to trigger the bug. The CVSS score of 7.0 indicates high severity, but the EPSS score of <1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Attackers need only user privileges and the conditions are deterministic, making the crash predictable if the conditions are met. Because the fault propagates to a kernel panic, it results in an immediate denial of service.

Generated by OpenCVE AI on June 27, 2026 at 04:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that contains the rel_deadline clearing patch, which fixes the Integer Overflow (CWE‑190) issue in the fair scheduler.
  • If an immediate kernel update is not possible, employ user‑space measures that frequently fork and yield by using container isolation or cgroup restrictions to reduce the impact of a potential overflow.
  • Continuously monitor kernel logs (e.g., /var/log/kern.log) for panic messages and schedule an automatic reboot or service restart when a crash is detected.

Generated by OpenCVE AI on June 27, 2026 at 04:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
Title sched/fair: Clear rel_deadline when initializing forked entities
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:28:56.457Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52980

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52980 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T04:30:11Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound