CVE-2026-43323
Received Received - Intake
Kernel Zero-Vruntime Tracking Race Condition

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix zero_vruntime tracking fix John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f43c72b ("sched/fair: Fix zero_vruntime tracking"). The combination of yield and that commit was specific enough to hypothesize the following scenario: Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities. Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule. Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime. All that moves zero_vruntime are tick and full {de,en}queue. This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick's worth of time, we're up a creek. Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time -- however unlikely. Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43323
EUVD
EUVD-2026-28607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is related to the Linux kernel's scheduler, specifically the fair scheduling mechanism. A fix was made to the zero_vruntime tracking, which is a value used to track how much CPU time tasks have received.

The issue occurs when two runnable tasks both repeatedly call yield(), causing them to leapfrog each other in scheduling. Because of how zero_vruntime is updated only on ticks and full enqueue/dequeue operations, it can fail to update correctly if tasks switch rapidly within one tick.

This can lead to one task being promoted a full time slice repeatedly, jumping over the other task, and potentially causing scheduling anomalies. When multiple control groups (cgroups) are involved, some groups might not get scheduled ticks in a timely manner, worsening the problem.

The fix forces an update of zero_vruntime at the end of every scheduling slice to ensure the scheduler's timing remains accurate and no task or cgroup is unfairly delayed.


How can this vulnerability impact me? :

This vulnerability can cause unfair scheduling behavior in the Linux kernel, where some tasks may be promoted repeatedly while others are delayed.

In practical terms, this could lead to performance issues, such as certain processes not getting CPU time as expected, which might degrade system responsiveness or cause delays in task execution.

In environments using multiple cgroups, some groups might experience significant delays in scheduling, potentially impacting workload isolation and fairness.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by fixing the zero_vruntime tracking in the scheduler's fair scheduling code.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for the zero_vruntime tracking issue (commit b3d99f43c72b or later).


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart