CVE-2026-46154
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel Sched Ext

Publication date: 2026-05-28

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-09
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46154
EUVD
EUVD-2026-32781
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.18 (inc) to 6.18.32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's scheduler extension (sched_ext) related to how it handles the scx_root pointer in cgroup setters. Specifically, functions like scx_group_set_weight, scx_group_set_idle, and scx_group_set_bandwidth cache the scx_root pointer before acquiring a read-write semaphore (scx_cgroup_ops_rwsem). Because of this, the cached pointer can become stale if the scheduler is disabled and freed while another scheduler is enabled in between these operations. This leads to a use-after-free (UAF) condition when the code dereferences the freed pointer, potentially causing undefined behavior or crashes.

Impact Analysis

The use-after-free vulnerability in the Linux kernel scheduler extension can lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. This can compromise the security and reliability of the affected system, potentially leading to denial of service or privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart