HIGH 7.0

CVE-2026-46154

A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a use-after-free (UAF) condition in the sched_ext cgroup setter functions—specifically scx_group_set_weight(), scx_group_set_idle(), and scx_group_set_bandwidth(). These functions retrieve the scx_root pointer before acquiring the scx_cgroup_ops_rwsem read lock. During the window between the naked load and lock acquisition, a concurrent operation can disable the loaded scheduler (triggering RCU-delayed freeing) and enable a new one. The reader then observes scx_cgroup_enabled=true (from the new scheduler) but dereferences the freed scheduler object when executing SCX_HAS_OP() and SCX_CALL_OP() macros. The fix ensures scx_root is read only within the scx_cgroup_ops_rwsem read-critical section, so the cached scheduler pointer remains consistent with the enabled state throughout the operation.

Business impact

Local attackers with non-root privileges can trigger this race condition to crash the kernel or potentially execute arbitrary code with elevated privileges. The attack requires timing precision but no special capabilities beyond standard process execution. Systems running production workloads that use sched_ext (custom schedulers for specialized workloads, containers, or real-time applications) face service disruption and potential data exposure if the vulnerability is exploited before patching.

Affected systems

Linux kernel versions that include the sched_ext subsystem are affected. The sched_ext feature is an experimental framework introduced in newer kernel versions for pluggable schedulers. Systems running long-term stable or distribution kernels should verify whether sched_ext is compiled and enabled in their kernel configuration; many default deployments do not yet include this feature. Affected users should check their kernel version and configuration against vendor advisories and security updates.

Exploitability

Exploitation requires local access and unprivileged user privileges (PR:L in the CVSS vector). The attack complexity is rated as high (AC:H) because it requires precise timing to trigger the race condition between the naked load and lock acquisition. However, a determined attacker could use repeated attempts or event scheduling to increase success probability. No public exploit code is known at this time, but the vulnerability is not particularly complex once understood. Mitigations are limited for affected systems pending patches.

Remediation

Apply a kernel update containing the fix for CVE-2026-46154. The patch moves the scx_root read operation inside the scx_cgroup_ops_rwsem read-critical section, eliminating the race window. Verify the specific patched kernel version against your Linux distribution's security advisory. Interim mitigation on systems without sched_ext compiled or enabled is not required. If sched_ext is disabled in the kernel configuration, the vulnerability cannot be triggered.

Patch guidance

Obtain the patched kernel from your distribution's security repository or from kernel.org once fixes are released. Distributions typically backport security fixes to multiple supported kernel versions; verify which versions in your support lifecycle receive updates. After patching, reboot systems to load the fixed kernel. Test in a staging environment first to ensure compatibility with custom kernel modules or specialized configurations. For organizations using sched_ext for production workloads, prioritize testing before deploying to critical systems.

Detection guidance

Monitor system logs for kernel panics, general protection faults, or warnings related to RCU callbacks and scheduler operations. Memory sanitizers (KASAN, MSAN) in testing environments will flag UAF access attempts. Kernel debugging tools like perf and ftrace can correlate cgroup weight/bandwidth adjustments with scheduler enable/disable events to identify race condition attempts. Intrusion detection systems should flag patterns of repeated cgroup modifications under load, though this may generate false positives on legitimate workloads. Detection is difficult without kernel instrumentation because the race leaves no userspace artifacts.

Why prioritize this

This vulnerability merits high priority due to its HIGH CVSS score (7.0) and the confluence of factors: it provides a local privilege escalation path, requires only standard user privileges to trigger, and directly compromises kernel memory safety. Although exploitation requires precise timing (AC:H), the impact is severe—kernel crash or code execution. Organizations using sched_ext should prioritize patching immediately. Even those not actively using sched_ext should evaluate their kernel configuration and apply updates in their regular patch cycles to maintain defense-in-depth.

Risk score, explained

CVSS 3.1 score of 7.0 (HIGH) reflects: local attack vector (AV:L) because it requires local system access; high complexity (AC:H) due to the race condition's timing sensitivity; low privilege requirement (PR:L) since unprivileged users can trigger it; no user interaction (UI:N); confidentiality, integrity, and availability all high-impact (C:H/I:H/A:H) because the UAF can enable kernel code execution or crash. The severity is not critical because exploitation is not trivial and depends on sched_ext being enabled, but it crosses the threshold for immediate patching in affected environments.

Frequently asked questions

What is sched_ext and is it enabled on my system?

sched_ext is an experimental Linux kernel subsystem for implementing custom process schedulers without modifying the kernel core. It is not enabled by default on most distributions. Check if it is compiled into your kernel using: grep SCHED_EXT /boot/config-$(uname -r). If the output is empty or shows '=n', your system is not vulnerable. If it shows '=y', verify whether your scheduler enables sched_ext.

Can this be exploited remotely or without local access?

No. The vulnerability requires local system access with unprivileged user privileges. Remote attackers cannot trigger this race condition. This limits the attack surface to local users, containers, or processes on the same system.

What should I do if I cannot patch immediately?

If sched_ext is not critical to your workload, disable it in your kernel configuration and rebuild, or use a kernel compiled without SCHED_EXT. If you depend on sched_ext, isolate the system, restrict local user access, apply strong process isolation (seccomp, AppArmor), and monitor for exploitation attempts while awaiting patches.

Does this affect container or cloud deployments?

Yes, if the host kernel has sched_ext enabled. Container security models typically assume the kernel is trusted; a local privilege escalation via this UAF could allow a container to break out. Cloud providers should ensure their kernel versions are patched. Verify your cloud provider's kernel version and patching timeline.

This analysis is based on the published CVE record and kernel commit description as of the date provided. CVSS scores and severity ratings are vendor-assigned and may be updated. Exploitation complexity and real-world impact may vary by kernel version, configuration, and deployment context. Organizations should verify patch availability from their Linux distribution before assuming fixes are available. No exploit code is provided or endorsed herein. This document is for informational purposes to support vulnerability management and is not a substitute for vendor advisories or professional security consultation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment

  • CVE-2026-10016HIGH

    CVE-2026-10016: Use-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability

  • CVE-2026-10882HIGH

    CVE-2026-10882: Critical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance