CVE-2026-23371

{"id": "CVE-2026-23371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-25T11:16:36.637", "references": [{"url": "https://git.kernel.org/stable/c/ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d658686a1331db3bb108ca079d76deb3208ed949", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting\n\nRunning stress-ng --schedpolicy 0 on an RT kernel on a big machine\nmight lead to the following WARNINGs (edited).\n\n sched: DL de-boosted task PID 22725: REPLENISH flag missing\n\n WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (running_bw underflow)\n Call trace:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nThe problem is that when a SCHED_DEADLINE task (lock holder) is\nchanged to a lower priority class via sched_setscheduler(), it may\nfail to properly inherit the parameters of potential DEADLINE donors\nif it didn't already inherit them in the past (shorter deadline than\ndonor's at that time). This might lead to bandwidth accounting\ncorruption, as enqueue_task_dl() won't recognize the lock holder as\nboosted.\n\nThe scenario occurs when:\n1. A DEADLINE task (donor) blocks on a PI mutex held by another\n DEADLINE task (holder), but the holder doesn't inherit parameters\n (e.g., it already has a shorter deadline)\n2. sched_setscheduler() changes the holder from DEADLINE to a lower\n class while still holding the mutex\n3. The holder should now inherit DEADLINE parameters from the donor\n and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen\n\nFix the issue by introducing __setscheduler_dl_pi(), which detects when\na DEADLINE (proper or boosted) task gets setscheduled to a lower\npriority class. In case, the function makes the task inherit DEADLINE\nparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to\nensure proper bandwidth accounting during the next enqueue operation."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsched/deadline: Solucionar la falta de ENQUEUE_REPLENISH durante la des-potenciaci\u00f3n PI\n\nEjecutar stress-ng --schedpolicy 0 en un kernel RT en una m\u00e1quina grande podr\u00eda llevar a las siguientes ADVERTENCIAS (editado).\n\n sched: Tarea DL des-potenciada PID 22725: Falta la bandera REPLENISH\n\n ADVERTENCIA: CPU: 93 PID: 0 en kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (desbordamiento negativo de running_bw)\n Traza de llamada:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nEl problema es que cuando una tarea SCHED_DEADLINE (poseedor del bloqueo) se cambia a una clase de prioridad inferior a trav\u00e9s de sched_setscheduler(), puede no heredar correctamente los par\u00e1metros de los posibles donantes DEADLINE si no los hered\u00f3 ya en el pasado (plazo m\u00e1s corto que el del donante en ese momento). Esto podr\u00eda llevar a la corrupci\u00f3n de la contabilidad del ancho de banda, ya que enqueue_task_dl() no reconocer\u00e1 al poseedor del bloqueo como potenciado.\n\nEl escenario ocurre cuando:\n1. Una tarea DEADLINE (donante) se bloquea en un mutex PI mantenido por otra tarea DEADLINE (poseedor), pero el poseedor no hereda los par\u00e1metros (por ejemplo, ya tiene un plazo m\u00e1s corto)\n2. sched_setscheduler() cambia el poseedor de DEADLINE a una clase inferior mientras a\u00fan mantiene el mutex\n3. El poseedor deber\u00eda ahora heredar los par\u00e1metros DEADLINE del donante y ser encolado con ENQUEUE_REPLENISH, pero esto no sucede\n\nSolucionar el problema introduciendo __setscheduler_dl_pi(), que detecta cuando una tarea DEADLINE (propia o potenciada) se programa a una clase de prioridad inferior. En ese caso, la funci\u00f3n hace que la tarea herede los par\u00e1metros DEADLINE del donante (pi_se) y establece la bandera ENQUEUE_REPLENISH para asegurar una contabilidad adecuada del ancho de banda durante la siguiente operaci\u00f3n de encolado."}], "lastModified": "2026-04-24T16:36:24.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC49E974-39F0-4EAB-AA56-2136CE9885A8", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.257"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FF42D15-4929-4BA3-A853-6ED272405AD4", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.212"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59C083CB-F10A-4E24-A914-13201863DFA3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "5.10.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B29EBB93-107F-4ED6-8DE3-C2732BC659C3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}