CVE-2026-43438

/* * PoC Concept: Trigger scx_cgroup_init error path * This requires a kernel with sched_ext enabled and vulnerable code. * Compile as a kernel module or user-space trigger logic. */ #include <linux/sched.h> #include <linux/cgroup.h> // Simulated trigger logic void trigger_vulnerability() { // Local attacker needs to load a sched_ext scheduler // that forces an error during cgroup initialization. // Example: Loading a malformed BPF scheduler program. // When scx_cgroup_init() fails: // 1. css_for_each_descendant_pre() iterates without css_get(). // 2. Error path jumps to cleanup. // 3. Vulnerable code calls css_put() -> Refcount Underflow. // Result: Kernel memory corruption (UAF). printk(KERN_INFO "Attempting to trigger CVE-2026-43438\n"); }

{"cve": {"id": "CVE-2026-43438", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:56.160", "lastModified": "2026-05-11T08:16:14.200", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Remove redundant css_put() in scx_cgroup_init()\n\nThe iterator css_for_each_descendant_pre() walks the cgroup hierarchy\nunder cgroup_lock(). It does not increment the reference counts on\nyielded css structs.\n\nAccording to the cgroup documentation, css_put() should only be used\nto release a reference obtained via css_get() or css_tryget_online().\nSince the iterator does not use either of these to acquire a reference,\ncalling css_put() in the error path of scx_cgroup_init() causes a\nrefcount underflow.\n\nRemove the unbalanced css_put() to prevent a potential Use-After-Free\n(UAF) vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}