CVE-2026-31733
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel sched_ext Scheduler

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix stale direct dispatch state in ddsp_dsq_id @p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a spurious warning in mark_direct_dispatch() when the next wakeup's ops.select_cpu() calls scx_bpf_dsq_insert(), such as: WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140 The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict. Fix it by clearing it at the right places: - direct_dispatch(): cache the direct dispatch state in local variables and clear it before dispatch_enqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until process_ddsp_deferred_locals() consumes them. - process_ddsp_deferred_locals(): cache the dispatch state in local variables and clear it before calling dispatch_to_local_dsq(), which may migrate the task to another rq. - do_enqueue_task(): clear the dispatch state on the enqueue path (local/global/bypass fallbacks), where the direct dispatch verdict is ignored. - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue() to handle both the deferred dispatch cancellation and the holding_cpu race, covering all cases where a pending direct dispatch is cancelled. - scx_disable_task(): clear the direct dispatch state when transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.select_cpu() and then been queued on a wake_list via ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such tasks are not on the runqueue and are not iterated by scx_bypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARN_ON_ONCE() in mark_direct_dispatch().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31733
EUVD
EUVD-2026-26546
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.12 (inc) to 6.12.82 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's scheduler extension (sched_ext) and involves a stale direct dispatch state in the variable ddsp_dsq_id. The issue occurs because ddsp_dsq_id is not always cleared properly in all code paths that consume or cancel a direct dispatch verdict. This can lead to a spurious warning being triggered during task wakeup when certain functions like ops.select_cpu() call scx_bpf_dsq_insert().

The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), but some paths that handle direct dispatch do not reach this function, leaving ddsp_dsq_id set incorrectly. The fix involves clearing ddsp_dsq_id at multiple appropriate points in the scheduler code to ensure the direct dispatch state is properly reset in all scenarios.

Impact Analysis

This vulnerability can cause spurious warnings in the kernel logs related to direct dispatch state handling in the scheduler. While the description does not explicitly mention security impacts such as privilege escalation or denial of service, the presence of stale state and warnings could potentially affect system stability or debugging clarity.

Since the issue involves scheduler internals and task dispatching, it might lead to unexpected behavior in task scheduling or performance anomalies, but no direct impact on system security or data integrity is described.

Detection Guidance

This vulnerability can be detected by monitoring for a specific kernel warning message that appears when the stale direct dispatch state triggers a spurious warning.

The warning message to look for in system logs is:

  • WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140

To detect this on your system, you can use commands to search kernel logs for this warning, for example:

  • dmesg | grep 'WARNING: kernel/sched/ext.c:1273'
  • journalctl -k | grep 'WARNING: kernel/sched/ext.c:1273'
Mitigation Strategies

The vulnerability is fixed by clearing the direct dispatch state at the appropriate points in the Linux kernel scheduler code.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this issue.
  • Ensure that the kernel scheduler code clears the direct dispatch state in the following functions and paths as described:
  • - direct_dispatch() clears the state before dispatch_enqueue() on synchronous paths.
  • - process_ddsp_deferred_locals() clears the state before dispatch_to_local_dsq().
  • - do_enqueue_task() clears the state on enqueue paths.
  • - dequeue_task_scx() clears the state after dispatch_dequeue().
  • - scx_disable_task() clears the state when transitioning a task out of the current scheduler.

If updating the kernel immediately is not possible, monitor for the warning messages and avoid workloads or configurations that trigger direct dispatch paths until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart