CVE-2026-43392 Overview
CVE-2026-43392 is a Linux kernel vulnerability in the sched_ext (extensible scheduler class) subsystem. During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread's sched_class from fair to ext. Because the fair class has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread and hang the system. The regression was introduced when the enable path switched from preempt_disable() to scx_bypass(), which does not protect against fair-class starvation.
Critical Impact
A local workload saturating the fair scheduler class can stall scx_enable() indefinitely, causing system hangs during sched_ext activation.
Affected Products
- Linux kernel versions containing the sched_ext subsystem with the scx_bypass()-based enable path
- Distributions shipping sched_ext-enabled kernels prior to the fix commits
- Systems that load BPF scheduler programs through sched_ext
Discovery Timeline
- 2026-05-08 - CVE-2026-43392 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43392
Vulnerability Analysis
The sched_ext subsystem allows BPF programs to implement custom scheduling policies. Enabling an sched_ext scheduler requires transitioning tasks from a READY state to ENABLED while reclassifying the calling thread's scheduling class from fair (CFS) to ext.
During this transition, the calling thread runs at ext priority, which sits below fair in the kernel's scheduling hierarchy. If a runqueue is saturated with CFS workloads, the kernel never schedules the ext-class enable thread, producing an indefinite stall.
The earlier implementation used preempt_disable() to bridge this gap, but the protection was removed in favor of scx_bypass(). The replacement does not inhibit preemption by higher-priority classes, exposing the starvation path. The original preempt_disable() was also incomplete because in partial-switch modes the thread could still be starved after preempt_enable().
Root Cause
The root cause is a scheduling-class priority inversion. The scx_enable() workflow demotes the actor performing the enable to a lower-priority class while still depending on forward progress to complete the switch. Without a preemption or class-floor guarantee, fair-class saturation prevents completion.
Attack Vector
The issue is triggered locally on systems where sched_ext is active and a user with permission to load BPF schedulers initiates scx_enable(). Concurrent fair-class workload saturation, whether incidental or deliberately induced, blocks the enable thread. The resulting denial of service hangs scheduler activation and can render the system unresponsive.
The fix offloads the enable body to a dedicated system-wide real-time SCHED_FIFO kthread that cannot be starved by fair or ext tasks. scx_enable() lazily creates the kthread on first use, passes the ops pointer through a struct scx_enable_cmd containing the kthread_work, and waits synchronously for completion. The workfn runs on a different kthread than sch->helper, allowing safe flushing of disable_work on the error path without deadlock.
Detection Methods for CVE-2026-43392
Indicators of Compromise
- Hung-task warnings naming threads invoking scx_enable() or sched_ext setup paths
- Soft lockup or RCU stall messages coinciding with BPF scheduler load operations
- Long-running tasks stuck in ext scheduling class while CFS runqueues remain saturated
Detection Strategies
- Audit kernel logs (dmesg, journalctl -k) for INFO: task ... blocked for more than X seconds entries referencing sched_ext code paths
- Track BPF program load events for sched_ext schedulers and correlate with system responsiveness drops
- Monitor /sys/kernel/sched_ext/state transitions for prolonged time spent in the enabling phase
Monitoring Recommendations
- Alert on kernel hung-task and soft-lockup events on hosts running sched_ext-enabled kernels
- Capture per-class CPU utilization to identify sustained fair-class saturation on hosts that load BPF schedulers
- Maintain inventory of kernel build versions to confirm whether the patched commits are present
How to Mitigate CVE-2026-43392
Immediate Actions Required
- Update to a kernel that includes commits 05ab9ec5dc24, b06ccbabe250, c44198f25fdf, or e0b14bf06393 from the stable tree
- Restrict permission to load sched_ext BPF schedulers to trusted administrators only
- Avoid enabling sched_ext on hosts running sustained fair-class saturation workloads until patched
Patch Information
The upstream fix is published in the Linux stable tree across multiple branches. Refer to Kernel Git Commit 05ab9ec, Kernel Git Commit b06ccba, Kernel Git Commit c44198f, and Kernel Git Commit e0b14bf. The fix introduces a dedicated SCHED_FIFO kthread that performs the enable body outside of class-priority contention.
Workarounds
- Disable or unload BPF sched_ext schedulers on affected hosts until the patched kernel is deployed
- Limit CAP_SYS_ADMIN and CAP_BPF privileges that allow loading sched_ext programs
- Reduce sustained fair-class load when performing scheduler activation operations on unpatched kernels
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
