PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23371 Linux CVE debrief

A vulnerability in the Linux kernel's SCHED_DEADLINE scheduler could allow a local attacker to trigger bandwidth accounting corruption, leading to kernel warnings and potential denial of service. The issue occurs when a SCHED_DEADLINE task holding a PI mutex is changed to a lower priority class via sched_setscheduler() without properly inheriting DEADLINE parameters from a donor task. This missing ENQUEUE_REPLENISH flag during priority inheritance de-boosting causes running_bw underflow warnings and scheduler state inconsistency. The vulnerability requires local access and the ability to execute sched_setscheduler() calls, with exploitation limited to denial of service through scheduler malfunction rather than privilege escalation or information disclosure.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-01
Advisory published
2026-03-25
Advisory updated
2026-06-01

Who should care

Linux system administrators running real-time kernels with SCHED_DEADLINE workloads; DevOps teams managing container or VM hosts with deadline scheduling enabled; security teams monitoring for local denial-of-service vectors in multi-tenant Linux environments

Technical summary

The vulnerability exists in kernel/sched/deadline.c in the Linux kernel's SCHED_DEADLINE implementation. When a DEADLINE task holding a PI mutex is demoted to a lower scheduling class via sched_setscheduler(), the task fails to inherit DEADLINE parameters from a waiting donor task if no prior inheritance occurred. This omits the ENQUEUE_REPLENISH flag during subsequent enqueue operations, corrupting bandwidth accounting state and triggering WARN_ON_ONCE() assertions for running_bw underflow. The fix introduces __setscheduler_dl_pi() to detect when a DEADLINE task (proper or boosted) is being setscheduled to a lower priority class, forcing inheritance of donor parameters via pi_se and setting ENQUEUE_REPLENISH to maintain correct bandwidth accounting. The issue manifests under stress testing with stress-ng --schedpolicy on large multi-core RT kernel systems.

Defensive priority

medium

Recommended defensive actions

  • Apply the latest stable Linux kernel patches that include the fix for __setscheduler_dl_pi() in the SCHED_DEADLINE scheduler
  • Prioritize patching systems running real-time (RT) kernels with SCHED_DEADLINE workloads, especially multi-core systems where stress-ng --schedpolicy triggers the condition
  • Monitor kernel logs for 'DL de-boosted task' warnings and 'running_bw underflow' messages as indicators of potential exploitation or trigger conditions
  • Restrict local access and capabilities required to call sched_setscheduler() to trusted processes only, as the vulnerability requires local privileges
  • Review and update kernel configurations to ensure SCHED_DEADLINE scheduling policies are only enabled where operationally required
  • Validate kernel versions against affected ranges: 4.19.257 to 4.20, 5.4.212 to 5.5, 5.10.1 to 6.19.7, and 7.0 release candidates through rc7

Evidence notes

CVE description confirms the vulnerability was resolved in the Linux kernel with a fix introducing __setscheduler_dl_pi() to properly handle DEADLINE parameter inheritance during PI de-boosting. The NVD record indicates affected kernel versions from 4.19.257 through 4.20 (excluding), 5.4.212 through 5.5 (excluding), 5.10.1 through 6.19.7 (excluding), plus specific 5.10 and 7.0 release candidate versions. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields a base score of 5.5 (MEDIUM). The vulnerability is not listed in CISA KEV.

Official resources

2026-03-25T11:16:36.637Z