CVE-2026-52980
Received Received - Intake
Kernel Deadline Overflow in Linux Scheduler

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52980
EUVD
EUVD-2026-38848
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's scheduler, specifically in the handling of forked tasks within the fair scheduling class.

When a new task is forked, its scheduling entity (sched_entity) should have its relative deadline (rel_deadline) cleared. However, due to a flaw, rel_deadline remains set, causing the scheduler to misinterpret the deadline as a relative deadline and convert it incorrectly.

This incorrect conversion results in an abnormally large deadline value, which then causes the virtual runtime (vruntime) to inflate when the task yields the CPU.

The inflated vruntime corrupts internal scheduler data structures, breaking eligibility calculations and potentially causing the scheduler to fail to select the next task properly, leading to a NULL pointer dereference and a crash.

Impact Analysis

This vulnerability can cause the Linux kernel scheduler to crash unexpectedly when a newly forked task yields the CPU.

Such crashes can lead to system instability, denial of service, or unexpected reboots, impacting the availability and reliability of systems running vulnerable kernel versions.

Mitigation Strategies

The vulnerability is resolved by clearing the rel_deadline field when initializing forked sched_entity instances in the Linux kernel scheduler. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

This prevents the yield-triggered crash caused by stale relative deadline values being inherited by forked tasks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart