CVE-2026-46154
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel Sched Ext

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46154
EUVD
EUVD-2026-32781
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's scheduler extension (sched_ext) related to how it handles the scx_root pointer in cgroup setters. Specifically, functions like scx_group_set_weight, scx_group_set_idle, and scx_group_set_bandwidth cache the scx_root pointer before acquiring a read-write semaphore (scx_cgroup_ops_rwsem). Because of this, the cached pointer can become stale if the scheduler is disabled and freed while another scheduler is enabled in between these operations. This leads to a use-after-free (UAF) condition when the code dereferences the freed pointer, potentially causing undefined behavior or crashes.


How can this vulnerability impact me? :

The use-after-free vulnerability in the Linux kernel scheduler extension can lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges. This can compromise the security and reliability of the affected system, potentially leading to denial of service or privilege escalation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart