CVE-2026-43482 Overview
CVE-2026-43482 is a race condition vulnerability in the Linux kernel's sched_ext (extensible scheduler) subsystem. The flaw occurs between scx_claim_exit() and the helper work kick that initiates bypass mode and teardown. If the calling task is preempted in this window and the BPF scheduler fails to reschedule it, the helper work is never queued. The result is that bypass mode never activates, tasks stop being dispatched, and the system wedges.
The issue has been resolved upstream by disabling preemption across scx_claim_exit() and the subsequent work-kicking in all callers, including scx_disable() and scx_vexit().
Critical Impact
A local condition can wedge the entire system when a BPF scheduler error coincides with preemption between exit-claim and helper-work kick, leading to denial of service.
Affected Products
- Linux kernel branches shipping the sched_ext subsystem
- Distributions consuming pre-patch stable kernels referenced in the upstream fix commits
- Workloads running custom BPF schedulers via sched_ext
Discovery Timeline
- 2026-05-13 - CVE-2026-43482 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43482
Vulnerability Analysis
The sched_ext subsystem allows BPF programs to implement custom CPU schedulers. When the kernel needs to tear down a BPF scheduler, scx_claim_exit() atomically sets exit_kind, which disables further error handling via scx_error(). The caller must then kick a helper kthread work item to begin bypass mode and orderly teardown.
Between these two operations, the calling task may be preempted by the running BPF scheduler. Because exit_kind has already been claimed, any subsequent scheduling failure is silently swallowed rather than triggering error handling. If the BPF scheduler refuses to schedule the caller back onto a CPU, the helper work never gets queued.
With bypass mode never activated, the runqueues stop dispatching tasks and the entire system effectively hangs. This is a denial-of-service condition that requires no remote interaction.
Root Cause
The root cause is a race condition [CWE-362] in the exit sequencing of sched_ext. Claiming exit and kicking the helper work are not atomic with respect to preemption, leaving a window where progress depends on a scheduler that is in the process of being torn down. The fix disables preemption across both steps and adds lockdep_assert_preemption_disabled() inside scx_claim_exit() to enforce the invariant.
Attack Vector
The condition is reachable from any code path that triggers scx_disable() or scx_vexit() while a faulty or hostile BPF scheduler is loaded. Privileges sufficient to load a BPF scheduler are required, so this is a local denial-of-service issue rather than a remote attack vector. A malicious or buggy BPF scheduler can deterministically refuse to reschedule the exiting task, reliably wedging the host.
No proof-of-concept exploit code is publicly associated with this CVE. The vulnerability is described in prose in the upstream commit messages; refer to the Kernel Security Fix Commit 522acaae for the patch context.
Detection Methods for CVE-2026-43482
Indicators of Compromise
- Unresponsive systems where userspace and kernel threads stop making progress shortly after a sched_ext scheduler is disabled or exits with an error
- Kernel logs showing scx_error() events immediately preceding a system hang, with no subsequent bypass-mode activation messages
- Hung-task warnings or RCU stalls following BPF scheduler unload operations
Detection Strategies
- Compare running kernel build identifiers against the fixed commits 41423912, 5131dbec, 522acaae, and 83236b2e to identify exposed hosts
- Audit BPF program load events for sched_ext schedulers, correlating them with subsequent host unresponsiveness or reboot events
- Monitor for repeated host unavailability on systems that deploy custom sched_ext policies in production
Monitoring Recommendations
- Collect kernel ring buffer output via centralized logging and alert on sched_ext exit messages
- Track bpf() syscall telemetry, particularly program loads of type BPF_PROG_TYPE_STRUCT_OPS targeting the scheduler
- Set up out-of-band watchdogs on hosts running BPF schedulers so wedged systems can be identified and recovered
How to Mitigate CVE-2026-43482
Immediate Actions Required
- Apply stable kernel updates that include the upstream fix commits referenced in the NVD entry
- Restrict the CAP_BPF and CAP_SYS_ADMIN capabilities required to load sched_ext programs to trusted administrators only
- Disable or unload non-essential BPF schedulers in production environments until patched kernels are deployed
Patch Information
The fix disables preemption across scx_claim_exit() and the helper-work kick in both scx_disable() and scx_vexit(), and adds lockdep_assert_preemption_disabled() to enforce the requirement. Patches are available in the following stable commits:
- Kernel Security Fix Commit 41423912
- Kernel Security Fix Commit 5131dbec
- Kernel Security Fix Commit 522acaae
- Kernel Security Fix Commit 83236b2e
Workarounds
- Avoid running custom or untrusted sched_ext BPF schedulers on unpatched kernels
- Build kernels without CONFIG_SCHED_CLASS_EXT where the extensible scheduler is not required
- Constrain BPF program loading through Linux Security Module policies such as SELinux or AppArmor to limit who can deploy schedulers
# Verify whether sched_ext is enabled in the running kernel
grep CONFIG_SCHED_CLASS_EXT /boot/config-$(uname -r)
# List currently loaded BPF struct_ops programs (requires bpftool and root)
bpftool struct_ops list
# Restrict unprivileged BPF entirely until patched
sysctl -w kernel.unprivileged_bpf_disabled=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
