CVE-2026-31734 Overview
CVE-2026-31734 is a Linux kernel vulnerability in the sched_ext (extensible scheduler) subsystem. The flaw involves a false negative in is_bpf_migration_disabled() on kernels built without CONFIG_PREEMPT_RCU. After commit 8e4f0b1ebcf2, the BPF prolog __bpf_prog_enter only calls migrate_disable() when CONFIG_PREEMPT_RCU is enabled. The unconditional p == current check therefore misclassified migration-disabled tasks on non-PREEMPT_RCU kernels. As a result, a migration-disabled task could be dispatched to a remote CPU, triggering an scx_error in task_can_run_on_remote_rq(). The vulnerability affects Linux kernel 7.0 release candidates and was resolved upstream.
Critical Impact
A local low-privileged user running BPF scheduler workloads can trigger an scx_error, leading to scheduler subsystem failure and high availability impact on the affected host.
Affected Products
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Distributions shipping pre-release Linux kernel 7.0 builds with sched_ext enabled
- Systems built without CONFIG_PREEMPT_RCU are most directly impacted
Discovery Timeline
- 2026-05-01 - CVE-2026-31734 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31734
Vulnerability Analysis
The defect resides in the sched_ext scheduling class, which allows BPF programs to implement custom CPU schedulers. The function is_bpf_migration_disabled() is responsible for determining whether a task currently has migration disabled, and a special disambiguation step exists because the BPF trampoline prolog also manipulates migration_disabled.
Commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c") changed BPF prolog behavior so that migrate_disable() is invoked only when CONFIG_PREEMPT_RCU is enabled. On non-PREEMPT_RCU builds, the prolog never increments migration_disabled, so a value of 1 unambiguously indicates a real migration-disabled task. However, sched_ext continued to apply an unconditional p == current check, which falsely cleared the migration-disabled state for non-current tasks and allowed them to be dispatched to remote run queues.
Root Cause
The root cause is an outdated assumption in sched_ext that the BPF prolog always perturbs migration_disabled. The disambiguation logic should be conditional on CONFIG_PREEMPT_RCU, but it was applied unconditionally. This produces a false negative path where genuine migration-disabled tasks are treated as eligible for migration.
Attack Vector
The vulnerability is locally exploitable and requires low privileges. A local user able to load or trigger BPF scheduler operations can drive a workload that exposes the misclassification. When task_can_run_on_remote_rq() observes the inconsistent state, the scheduler raises scx_error, disabling the active BPF scheduler and impacting host availability. There is no confidentiality or integrity impact, and no public proof-of-concept or known in-the-wild exploitation has been reported. The EPSS probability is 0.022%, indicating low predicted exploitation likelihood.
No verified exploitation code is available. Refer to the upstream commits for technical fix details: Kernel commit 0c4a59df370b, Kernel commit 72c43eb2e334, and Kernel commit b4992a9446bb.
Detection Methods for CVE-2026-31734
Indicators of Compromise
- Kernel log entries containing scx_error messages originating from task_can_run_on_remote_rq().
- Unexpected disabling of an active sched_ext BPF scheduler with fallback to CFS or EEVDF.
- dmesg output showing sched_ext: BPF scheduler errors on non-PREEMPT_RCU kernels running 7.0-rc builds.
Detection Strategies
- Inventory kernels in your fleet and flag any host running Linux 7.0-rc1 through 7.0-rc6 with sched_ext enabled.
- Verify whether CONFIG_PREEMPT_RCU is set in /boot/config-$(uname -r); non-PREEMPT_RCU builds are the impacted configuration.
- Audit BPF program loads via bpftool prog list to identify scheduler programs that exercise the vulnerable code path.
Monitoring Recommendations
- Forward dmesg and journald kernel facility logs to a centralized log platform and alert on scx_error strings.
- Monitor for unexpected sched_ext disable events that correlate with workload-dependent task migration.
- Track BPF program load activity from non-root and CAP_BPF-only contexts on production hosts.
How to Mitigate CVE-2026-31734
Immediate Actions Required
- Apply the upstream fix by updating to a Linux kernel build that includes commits 0c4a59df370b, 72c43eb2e334, and b4992a9446bb.
- Avoid deploying Linux 7.0 release candidate kernels in production until a stable release containing the fix is available.
- Restrict BPF scheduler program loading to trusted administrators by tightening CAP_BPF and CAP_SYS_ADMIN assignments.
Patch Information
The vulnerability is resolved upstream. Reference the corrective commits at Kernel commit 0c4a59df370b, Kernel commit 72c43eb2e334, and Kernel commit b4992a9446bb. The fix conditions the p == current disambiguation on CONFIG_PREEMPT_RCU so that non-PREEMPT_RCU builds correctly trust the migration_disabled == 1 signal.
Workarounds
- Build the kernel with CONFIG_PREEMPT_RCU=y to remove the false negative path until the patch is applied.
- Disable sched_ext (CONFIG_SCHED_CLASS_EXT=n) on systems that do not require BPF custom schedulers.
- Unload third-party BPF scheduler programs and revert to the default in-kernel scheduler on affected hosts.
# Check kernel version and PREEMPT_RCU configuration
uname -r
grep -E 'CONFIG_PREEMPT_RCU|CONFIG_SCHED_CLASS_EXT' /boot/config-$(uname -r)
# Disable an active sched_ext BPF scheduler
sudo bpftool struct_ops list
sudo bpftool struct_ops unregister id <ID>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
