HIGH Published 2026-05-28

sched_ext CgroupOps UAF

CVE-2026-46154

CVSS 7.0 / 10.0 NVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Local users with low privileges can trigger a use-after-free in the sched_ext scheduler when manipulating cgroup settings concurrently with a scheduler transition. The race can lead to kernel memory corruption, privilege escalation, or system crashes on systems using the extensible scheduler framework.

Affectedkernel/sched/ext.c (sched_ext scheduler)

Vulnerability analysis

The vulnerability occurs in sched_ext cgroup setter functions (scx_group_set_weight, scx_group_set_idle, scx_group_set_bandwidth) that cache the scx_root pointer before acquiring the scx_cgroup_ops_rwsem read lock. A race condition exists where the scheduler can be disabled and freed via RCU work, and another scheduler enabled, between the naked scx_root load and the rwsem acquire. The code then sees scx_cgroup_enabled=true from the new scheduler but dereferences the freed old scheduler structure in SCX_HAS_OP() and SCX_CALL_OP(), resulting in a use-after-free. The fix moves the scx_root read inside the rwsem read section to correlate the pointer with the enabled-state snapshot. Exploitation requires winning a narrow timing window against a concurrent scheduler disable/enable operation.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.32	`ce9aaa3af445`
7.0	7.0.7	`0f54f6355575`
mainline	7.1-rc2	`80afd4c84bc8`