CVE-2026-31733

EUVD-2026-26546
In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix stale direct dispatch state in ddsp_dsq_id

@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a
spurious warning in mark_direct_dispatch() when the next wakeup's
ops.select_cpu() calls scx_bpf_dsq_insert(), such as:

 WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140

The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(),
which is not reached in all paths that consume or cancel a direct dispatch
verdict.

Fix it by clearing it at the right places:

 - direct_dispatch(): cache the direct dispatch state in local variables
   and clear it before dispatch_enqueue() on the synchronous path. For
   the deferred path, the direct dispatch state must remain set until
   process_ddsp_deferred_locals() consumes them.

 - process_ddsp_deferred_locals(): cache the dispatch state in local
   variables and clear it before calling dispatch_to_local_dsq(), which
   may migrate the task to another rq.

 - do_enqueue_task(): clear the dispatch state on the enqueue path
   (local/global/bypass fallbacks), where the direct dispatch verdict is
   ignored.

 - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue()
   to handle both the deferred dispatch cancellation and the holding_cpu
   race, covering all cases where a pending direct dispatch is
   cancelled.

 - scx_disable_task(): clear the direct dispatch state when
   transitioning a task out of the current scheduler. Waking tasks may
   have had the direct dispatch state set by the outgoing scheduler's
   ops.select_cpu() and then been queued on a wake_list via
   ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such
   tasks are not on the runqueue and are not iterated by scx_bypass(),
   so their direct dispatch state won't be cleared. Without this clear,
   any subsequent SCX scheduler that tries to direct dispatch the task
   will trigger the WARN_ON_ONCE() in mark_direct_dispatch().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
6.12 ≤
𝑥
< 6.12.82
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.22
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.12
linuxlinux_kernel
7.0:rc1
linuxlinux_kernel
7.0:rc2
linuxlinux_kernel
7.0:rc3
linuxlinux_kernel
7.0:rc4
linuxlinux_kernel
7.0:rc5
linuxlinux_kernel
7.0:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.12-2
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel-livepatch-6.12.83-113.160
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-52.107
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.83-113.160.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5
https://git.kernel.org/stable/c/7e0ffb72de8aa3b25989c2d980e81b829c577010
https://git.kernel.org/stable/c/7ea601daa0153e19cd1c6e6b300348c70c05fe77
https://git.kernel.org/stable/c/ca685511f7afd42cdcbb0feea42e5d332d384251