CVE-2026-23371 Overview
A vulnerability has been discovered in the Linux kernel's SCHED_DEADLINE scheduler that involves improper handling of the ENQUEUE_REPLENISH flag during Priority Inheritance (PI) de-boosting operations. This flaw occurs when a SCHED_DEADLINE task holding a PI mutex undergoes a priority class change via sched_setscheduler(), potentially leading to bandwidth accounting corruption and system warnings.
Critical Impact
Running stress-ng --schedpolicy 0 on an RT kernel on a high-core-count system can trigger kernel warnings related to bandwidth underflow, potentially destabilizing real-time scheduling guarantees.
Affected Products
- Linux Kernel (SCHED_DEADLINE scheduler component)
- RT (Real-Time) Linux kernel variants
- Systems utilizing Priority Inheritance (PI) mutexes with DEADLINE scheduling
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23371 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23371
Vulnerability Analysis
The vulnerability resides in the Linux kernel's deadline scheduler (kernel/sched/deadline.c) and specifically affects the Priority Inheritance mechanism. When a SCHED_DEADLINE task (referred to as the "holder") holds a PI mutex and another DEADLINE task (the "donor") blocks on that mutex, the holder should inherit scheduling parameters from the donor under certain conditions.
The flaw manifests when the holder task is changed from SCHED_DEADLINE to a lower priority class via sched_setscheduler() while still holding the mutex. In this scenario, the holder should inherit DEADLINE parameters from the donor and be enqueued with the ENQUEUE_REPLENISH flag set. However, this inheritance fails to occur properly if the holder didn't previously inherit parameters (for example, because it already had a shorter deadline than the donor at the time of blocking).
This leads to bandwidth accounting corruption because enqueue_task_dl() fails to recognize the lock holder as boosted, causing running bandwidth (running_bw) underflow and triggering kernel warnings in the dequeue_task_dl() function.
Root Cause
The root cause is a missing check for DEADLINE parameter inheritance when transitioning a boosted task to a lower priority class. The kernel fails to properly detect the scenario where a DEADLINE task (proper or boosted) gets scheduled to a lower priority class while holding a PI mutex with pending DEADLINE donors. The __setscheduler_dl_pi() function was introduced to detect this condition and ensure the task inherits DEADLINE parameters from the donor (pi_se) while setting the ENQUEUE_REPLENISH flag for correct bandwidth accounting.
Attack Vector
The vulnerability is triggered through a specific sequence of scheduler operations:
- A DEADLINE task (donor) blocks on a PI mutex held by another DEADLINE task (holder)
- The holder does not inherit parameters at this time (e.g., it already has a shorter deadline)
- sched_setscheduler() changes the holder from DEADLINE to a lower priority class while still holding the mutex
- The holder should now inherit DEADLINE parameters from the donor and be enqueued with ENQUEUE_REPLENISH, but this fails to happen
The vulnerability can be reproduced using stress-ng --schedpolicy 0 on RT kernels with high CPU counts, which creates the necessary scheduling pressure and mutex contention to trigger the race condition. This results in kernel warnings including "DL de-boosted task PID: REPLENISH flag missing" and "running_bw underflow" in the call trace through dequeue_task_dl(), push_dl_task(), and dl_task_timer().
Detection Methods for CVE-2026-23371
Indicators of Compromise
- Kernel warnings containing "DL de-boosted task PID: REPLENISH flag missing" in system logs
- Warnings at kernel/sched/deadline.c:239 referencing dequeue_task_dl()
- Call traces showing running_bw underflow errors
- Unexpected behavior in real-time workloads using SCHED_DEADLINE with PI mutexes
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for SCHED_DEADLINE-related warnings
- Implement alerting on kernel warnings originating from kernel/sched/deadline.c
- Deploy system monitoring to detect anomalous scheduling behavior on RT kernels
- Use kernel tracing (ftrace) to monitor dequeue_task_dl and enqueue_task_dl functions
Monitoring Recommendations
- Enable kernel warning logging and set up alerts for scheduler-related errors
- Monitor systems running real-time workloads with stress-ng or similar tools for unexpected warnings
- Track CPU scheduling metrics on high-core-count systems using RT kernels
- Review system stability logs after any changes to task scheduling policies
How to Mitigate CVE-2026-23371
Immediate Actions Required
- Review systems running RT kernels with SCHED_DEADLINE workloads for potential exposure
- Apply the kernel patches from the stable kernel tree as soon as they are available for your distribution
- Avoid changing DEADLINE task priorities while they hold PI mutexes as a temporary workaround
- Test patches in a non-production environment before deployment
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix introduces __setscheduler_dl_pi(), which detects when a DEADLINE task (proper or boosted) gets scheduled to a lower priority class and ensures proper parameter inheritance from the donor (pi_se) while setting the ENQUEUE_REPLENISH flag.
Patches are available in the stable kernel tree:
Workarounds
- Avoid using sched_setscheduler() to change DEADLINE tasks to lower priority classes while they hold PI mutexes
- Consider temporarily disabling SCHED_DEADLINE policy changes on affected systems until patched
- Implement application-level guards to ensure mutex release before priority class changes
- Monitor and restart affected workloads if kernel warnings are observed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
