PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46154 Linux CVE debrief

A use-after-free (UAF) vulnerability exists in the Linux kernel's sched_ext (SCX) subsystem. The flaw occurs in cgroup setter functions `scx_group_set_{weight,idle,bandwidth}()` where `scx_root` is cached before acquiring the `scx_cgroup_ops_rwsem` lock. This creates a race window: if a scheduler is disabled and freed via RCU work, and a new scheduler is enabled between the naked load and the rwsem acquire, the code sees `scx_cgroup_enabled=true` (from the new scheduler) but dereferences the freed scheduler structure. This leads to UAF when executing `SCX_HAS_OP(sch, ...)` or `SCX_CALL_OP(sch, ...)`. The fix moves the `scx_root` read inside the rwsem read section, ensuring the scheduler pointer correlates with the enabled state snapshot.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux kernel administrators, container platform operators using cgroups with sched_ext, cloud providers offering container services on Linux, and organizations running workloads with custom SCX schedulers

Technical summary

The sched_ext (SCX) subsystem in the Linux kernel contains a use-after-free vulnerability in cgroup setter functions. The functions `scx_group_set_weight()`, `scx_group_set_idle()`, and `scx_group_set_bandwidth()` cache the `scx_root` pointer before acquiring the `scx_cgroup_ops_rwsem` read lock. This creates a race condition: between the naked load of `scx_root` and the semaphore acquisition, a loaded scheduler may be disabled and freed via RCU work, while a new scheduler is enabled. The code then sees `scx_cgroup_enabled=true` (reflecting the new scheduler) but dereferences the freed old scheduler structure when executing `SCX_HAS_OP()` or `SCX_CALL_OP()` macros. The vulnerability is fixed by reading `scx_root` inside the rwsem read section, ensuring the scheduler pointer and enabled state are consistent. The `scx_cgroup_enabled` flag is toggled only under `scx_cgroup_ops_rwsem` write lock during `scx_cgroup_init()` and `scx_cgroup_exit()`, so this change properly correlates the scheduler pointer with the enabled snapshot.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches when available
  • Monitor Linux kernel stable releases for backported fixes
  • Review systems using sched_ext (SCX) schedulers for cgroup weight/idle/bandwidth configuration changes
  • Consider disabling sched_ext if not required until patches are applied
  • Audit for any scheduler loading/unloading patterns that could trigger the race condition

Evidence notes

The vulnerability description indicates this is a resolved issue in the Linux kernel sched_ext subsystem. The fix involves reading `scx_root` under `scx_cgroup_ops_rwsem` protection in cgroup setter functions to prevent UAF when scheduler transitions occur.

Official resources

2026-05-28