CVE-2026-43438: Linux Kernel Use-After-Free Vulnerability

CVE-2026-43438 Overview

CVE-2026-43438 is a Use-After-Free (UAF) vulnerability in the Linux kernel's sched_ext subsystem. The flaw resides in the scx_cgroup_init() function, which improperly calls css_put() in its error path on cgroup subsystem state (css) references obtained via the css_for_each_descendant_pre() iterator. Because that iterator walks the cgroup hierarchy under cgroup_lock() without incrementing reference counts, the unbalanced css_put() triggers a refcount underflow.

Critical Impact

A local authenticated attacker can trigger a reference counter underflow in scx_cgroup_init(), leading to a Use-After-Free condition with high impact to confidentiality, integrity, and availability.

Affected Products

• Linux kernel versions containing the sched_ext subsystem with the flawed scx_cgroup_init() implementation
• Distributions shipping kernels prior to the upstream stable fixes referenced in commits 1336b57, 6eaaa67, bf50f32, and cc095cd
• Systems with CONFIG_SCHED_CLASS_EXT enabled

Discovery Timeline

• 2026-05-08 - CVE-2026-43438 published to the National Vulnerability Database
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43438

Vulnerability Analysis

The vulnerability exists in the sched_ext (extensible scheduler class) subsystem of the Linux kernel. The scx_cgroup_init() function iterates over the cgroup hierarchy using css_for_each_descendant_pre() to initialize per-cgroup scheduler state. On encountering an initialization error, the function attempts to release the current css reference by calling css_put().

This release call is incorrect. Per the cgroup documentation, css_put() decrements a reference previously acquired through css_get() or css_tryget_online(). The iterator css_for_each_descendant_pre() does neither; it relies on cgroup_lock() for safety and yields css pointers without bumping their refcounts.

The unbalanced css_put() therefore decrements a refcount that was never incremented, producing an underflow. Once the refcount reaches zero prematurely, the underlying css structure can be freed while still referenced by other kernel paths, producing a classic Use-After-Free.

Root Cause

The root cause is an API contract violation. The code path treats iterator-yielded css pointers as owned references, but they are borrowed under the cgroup lock. The fix in the referenced upstream commits removes the erroneous css_put() from the error path of scx_cgroup_init(), restoring balanced reference accounting.

Attack Vector

Exploitation requires local access and low-privileged code execution on a host running an affected kernel with sched_ext enabled. An attacker forces scx_cgroup_init() to take its error path while iterating the cgroup hierarchy, driving the css refcount below zero. Subsequent allocations can reuse the freed memory, allowing the attacker to corrupt kernel data structures and escalate privileges. No user interaction is required.

No public proof-of-concept code has been published. The vulnerability is described in prose in the upstream commit messages referenced in the Kernel Git Commit 1336b57 and related stable backports.

Detection Methods for CVE-2026-43438

Indicators of Compromise

• Kernel log entries referencing refcount_t: underflow or refcount_warn_saturate originating from cgroup or sched_ext call paths
• Unexpected oops or panic traces with scx_cgroup_init on the call stack
• Crashes in cgroup css teardown routines following sched_ext scheduler attach or detach operations

Detection Strategies

• Monitor dmesg and journald for kernel WARN and BUG messages tied to refcount underflow in cgroup or scheduler subsystems
• Audit kernel version and CONFIG_SCHED_CLASS_EXT build flag across the fleet, flagging hosts running unpatched kernels
• Correlate process events that load or attach BPF scheduler programs with subsequent kernel instability

Monitoring Recommendations

• Forward kernel ring buffer logs to a centralized SIEM and alert on refcount and Oops patterns
• Track unprivileged processes invoking bpf() syscalls that load struct_ops scheduler programs
• Monitor cgroup mount and configuration changes on production hosts, especially in container orchestration environments

How to Mitigate CVE-2026-43438

Immediate Actions Required

• Inventory all Linux hosts running kernels with sched_ext enabled and prioritize patching based on exposure to local users and untrusted workloads
• Apply the stable kernel updates that include the upstream fix removing the redundant css_put() in scx_cgroup_init()
• Restrict access to the bpf() syscall and sched_ext attach operations to trusted administrators where patching is delayed

Patch Information

The upstream fix removes the unbalanced css_put() call from the error path of scx_cgroup_init(). The patch is available across stable trees in the following commits: Kernel Git Commit 1336b57, Kernel Git Commit 6eaaa67, Kernel Git Commit bf50f32, and Kernel Git Commit cc095cd. Update to the corresponding distribution kernel releases that incorporate these commits.

Workarounds

• Disable sched_ext by booting a kernel built without CONFIG_SCHED_CLASS_EXT until patches can be applied
• Restrict CAP_SYS_ADMIN and CAP_BPF to a minimal set of trusted accounts to limit who can load custom scheduler BPF programs
• Enforce seccomp and Linux Security Module policies that block unprivileged invocation of sched_ext attach operations on multi-tenant hosts

# Verify kernel version and sched_ext availability
uname -r
grep CONFIG_SCHED_CLASS_EXT /boot/config-$(uname -r)

# Restrict unprivileged BPF to reduce sched_ext exposure
sysctl -w kernel.unprivileged_bpf_disabled=1
echo 'kernel.unprivileged_bpf_disabled=1' >> /etc/sysctl.d/99-bpf-hardening.conf