CVE Catalog

CVE-2026-46154

HighCVSS 7.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel regarding the reading of the scx_root pointer in the context of cgroup operations. The issue arises because the pointer may become stale by the time the operation is executed, potentially leading to use-after-free conditions.

Risk Assessment

This vulnerability could lead to unauthorized memory access, posing risks to the stability and security of the system. If exploited, an attacker may gain access to data or functions that should be restricted.

Recommendation

It is recommended to update the Linux kernel to the latest version where this vulnerability has been patched. Additionally, monitoring and auditing cgroup configurations may help identify potential issues.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS