CVE-2026-23371: SCHED_DEADLINE PI De-boost Missing ENQUEUE_REPLENISH Flag

  • Thread Author
Linux has assigned CVE-2026-23371 to a scheduler bug in the SCHED_DEADLINE code path, and the issue is notable less for a classic crash-and-burn exploit pattern than for what it reveals about the fragility of deadline scheduling under priority inheritance. The flaw centers on a missing ENQUEUE_REPLENISH flag during PI de-boosting, which can corrupt bandwidth accounting and trigger kernel warnings such as a running_bw underflow on affected systems. In practical terms, the bug shows how a task that was once deadline-boosted can lose the bookkeeping state the scheduler expects after it is demoted to a lower priority class while still holding a mutex. The result is a kernel-side inconsistency that can surface under stress and, in the Linux kernel model, still qualifies for security tracking because correctness bugs at this layer can have broad system impact.

Background​

The Linux scheduler has long had to balance two goals that often pull in opposite directions: predictable latency and overall throughput. SCHED_DEADLINE exists for workloads that need explicit runtime, period, and deadline guarantees, while the kernel’s priority inheritance machinery exists to prevent lock contention from turning into unbounded inversion. Those two systems intersect in complex ways, because a task can be “ordinary” in one instant and effectively deadline-boosted in the next, depending on what mutexes it holds and who is waiting on them. That complexity is exactly where CVE-2026-23371 lives.
The Linux kernel’s CVE process also helps explain why a bug like this becomes a security record. Kernel maintainers routinely assign CVEs to fixes once they land in stable trees, even when the immediate exploitability is unclear. The kernel documentation is explicit that CVEs are automatically tracked after a fix is available and backported, which means the number often reflects an important correctness defect rather than a narrowly scoped attack primitive. That policy has two consequences: it improves traceability, and it makes scheduler fixes part of the broader security conversation.
The reported symptom is not subtle. On a large RT kernel system under stress, the problem can produce warnings that mention a DL de-boosted task missing the replenish flag, followed by a dequeue_task_dl() warning and a running_bw underflow. In scheduler terms, that is a strong indicator that a task moved through the scheduler’s state machine without carrying forward the accounting state needed to keep deadline bandwidth coherent. That kind of failure may not immediately hand an attacker code execution, but it can destabilize scheduling behavior in ways that matter to both reliability and isolation.
The fix, according to the CVE description, introduces a new helper called __setscheduler_dl_pi() to handle the special case where a deadline task is changed to a lower-priority policy while PI state still matters. In that path, the scheduler must preserve or recreate the donor-related deadline state and mark the next enqueue with ENQUEUE_REPLENISH so bandwidth accounting remains consistent. In other words, the patch is not just a one-line flag correction; it closes a state-transition hole in the scheduler’s interaction between policy changes and PI donation.

What the Bug Actually Breaks​

At the core of CVE-2026-23371 is a scheduler bookkeeping mismatch. A SCHED_DEADLINE lock holder can receive deadline parameters from a waiting donor through PI mechanisms, but only under certain conditions. If the holder never inherited the donor’s parameters before, and later gets demoted via sched_setscheduler() to a lower-priority class while still holding the lock, the kernel may fail to mark that transition as requiring replenishment. That omission leaves the task in a state where enqueue/dequeue accounting no longer matches the scheduler’s expectations.
The missing flag matters because deadline scheduling is accounting-heavy by design. Bandwidth control is not optional fluff; it is the mechanism that prevents deadline tasks from consuming more CPU time than permitted by their runtime/period configuration. If the scheduler forgets that a task needs replenishment, it can misclassify the task during enqueue and dequeue operations. That is how a warning becomes a correctness problem and, potentially, a broader availability problem.

Why the warning is a clue, not just noise​

The warning about a missing replenish flag is the scheduler telling you the task’s state transition skipped a required accounting step. The follow-on running_bw underflow suggests the kernel’s internal running bandwidth counter was decremented in a way that no longer matched prior increments. That is not just a noisy log line; it is evidence that the scheduler invariants were violated. In a latency-sensitive system, especially one running RT kernels on large machines, invariant violations can cascade into hard-to-diagnose timing anomalies.
The real danger is that the bug emerges in a corner where several kernel mechanisms overlap: mutex contention, policy changes, deadline donation, and enqueue-time accounting. Bugs in this kind of intersection are usually harder to detect than outright crashes because each component behaves correctly on its own. The failure only appears when the state machine takes a path the original code did not fully model. That makes the issue feel small in code and large in consequence.
  • The bug occurs during PI de-boosting of a deadline task.
  • The holder can be moved to a lower-priority class while still owning a mutex.
  • The scheduler may fail to preserve the donor-related deadline state.
  • Missing ENQUEUE_REPLENISH corrupts bandwidth accounting.
  • The resulting underflow warning indicates broken scheduler invariants.

The Reproduction Pattern Matters​

The public description points to a reproducible stress condition involving stress-ng --schedpolicy 0 on a large RT kernel system. That detail is important because it suggests the bug is not a theoretical race in an obscure path, but something reachable through aggressive scheduling churn. Large machines amplify these problems because there are more CPUs, more contention, and more opportunities for edge-case state transitions to line up. In scheduler land, scale is often the difference between a latent bug and a visible one.
The sequence described by the CVE is especially revealing. First, a deadline donor blocks on a PI mutex held by another deadline task. Second, the holder is not boosted because it already has a shorter deadline than the donor at that moment. Third, the holder is moved to a lower class via sched_setscheduler() while still holding the mutex. The missing step is that the holder should now inherit the donor’s deadline parameters and be enqueued with the replenishment flag. That final step is where the bug appears.

Why the “shorter deadline” detail is crucial​

The shorter-deadline condition is what makes the bug non-obvious. If the holder already outranks the donor on deadline criteria, the kernel may not boost it in the first place, so later code has no prior boost state to unwind cleanly. That means the scheduler is effectively asked to retroactively understand a priority-inheritance relationship that existed semantically but was never reflected in the state it normally consults. This is a classic example of state-dependent correctness drift.
This is also why the issue is interesting to scheduler engineers beyond its CVE label. It shows that the PI logic and the scheduling-class transition logic are not fully orthogonal. A policy change can expose a missing dependency on historical donor state, which means the scheduler must reason not only about current class and priority, but about how those values came to be. That kind of historical dependence is easy to miss in code review and hard to trigger in tests unless the workload is constructed carefully.
  • Reproduction reportedly needs heavy scheduler pressure.
  • The holder must change policy while still holding a lock.
  • The donor relationship must exist in a particular historical order.
  • A prior lack of boost state is part of the trigger.
  • Large systems increase the odds of surfacing the bug.

How the Fix Changes Scheduler Behavior​

The fix described in the CVE adds __setscheduler_dl_pi() to the scheduler’s logic. Its purpose is to catch the case where a deadline task, whether properly deadline-classed or previously boosted, is setscheduled to a lower priority policy while PI state still applies. Instead of letting the transition lose donor context, the helper restores the relevant deadline parameters and marks the task so the next enqueue does the right replenishment work. That is a small API addition with a disproportionately important semantic role.
The important point is not the name of the helper but the shape of the correction. The kernel is making the scheduler transition aware of PI history, then explicitly encoding replenishment into the next enqueue. In deadline scheduling, delayed accounting is often safer than implicit assumptions, because the scheduler must preserve a coherent budget model even across demotions and lock handoffs. That is why the fix targets the enqueue path rather than trying to patch over symptoms at dequeue time.

Why ENQUEUE_REPLENISH is the right lever​

ENQUEUE_REPLENISH is effectively the scheduler’s reminder that this task needs deadline bandwidth treatment on re-entry. Without it, enqueue_task_dl() can misread the task as unboosted and skip the bookkeeping needed to keep runtime accounting aligned. With it, the kernel can restore the replenishment semantics that should have survived the priority change. That is the difference between a task being merely runnable and being runnable with the correct bandwidth contract.
There is also a subtle design lesson here. Scheduler bugs often look like “one missing flag,” but in reality the missing flag is the visible symptom of a missing state transition rule. The helper function centralizes that rule, which is a stronger fix than scattering checks throughout enqueue and dequeue sites. It also lowers the odds that a future refactor will accidentally reintroduce the same inconsistency.
  • The fix adds a dedicated helper for PI-aware scheduler transitions.
  • The helper handles deadline tasks moved to lower-priority policies.
  • It restores donor-related deadline semantics when needed.
  • It explicitly sets ENQUEUE_REPLENISH.
  • The goal is stable bandwidth accounting on the next enqueue.

Why This Is a Security Issue, Not Just a Bug​

Linux kernel CVEs often cover defects that are broader than conventional vulnerabilities. The kernel documentation notes that almost any bug can become security-relevant because the kernel underpins system isolation, availability, and control. CVE-2026-23371 fits that pattern: it is first and foremost a scheduler correctness flaw, but because it can disrupt kernel accounting and provoke warnings under adversarial or heavy workloads, it belongs in the security taxonomy.
For enterprises, the immediate concern is not sensational exploitation but reliability under load. RT systems, industrial control deployments, telecom stacks, and low-latency compute environments are exactly where deadline scheduling is likely to appear. In those environments, a scheduler invariant violation can become a service-level incident even if no attacker ever deliberately triggers it. That is why these bugs matter to defenders: availability is security.

Security impact versus operational impact​

The distinction is useful. The security impact is that a kernel bookkeeping defect can be triggered in a way that undermines expected isolation and system control. The operational impact is that warnings, underflows, and scheduler inconsistencies can degrade performance, produce hard-to-trace latency spikes, or force restarts. In practice, these two effects often merge in production, because reliability failures in the kernel almost always end up treated as security-relevant incidents.
It is also worth noting the Linux kernel’s own CVE philosophy. The project tends to assign CVEs liberally once a fix is accepted into stable trees. That means the CVE number is not a verdict that exploitation is trivial; it is a signal that the upstream community believes the defect deserves structured tracking and downstream patching. For administrators, that is a prompt to prioritize updates rather than wait for a stronger exploit narrative.
  • Kernel CVEs often reflect correctness and availability risk.
  • RT and deadline workloads are especially sensitive.
  • The bug can surface as warnings and accounting underflow.
  • Enterprises should treat it as a patch-priority issue.
  • The absence of a public exploit does not make it harmless.

Enterprise Impact and Deployment Risk​

The enterprise impact depends heavily on where SCHED_DEADLINE is used. Most desktop workloads will never touch this path, but real-time tuned Linux systems, hyperscale infrastructure experiments, and specialized appliances may depend on it. That means the affected population is narrower than a typical privilege-escalation bug, yet potentially more operationally sensitive because those deployments are engineered around strict timing guarantees.
From a deployment perspective, the presence of RT kernels and scheduler stress tools in test labs should not be underestimated. Organizations often validate latency characteristics by intentionally hammering the scheduler with synthetic workloads, which means a bug like this can appear during performance testing long before it reaches production. That is a blessing, because it gives teams a chance to observe the warning path without customer impact. It is also a warning sign that the defect exists in a frequently exercised validation path.

Consumer systems are less likely to notice​

Consumer Windows users running Linux under WSL, lightweight containers, or general-purpose desktop distros are less likely to encounter this bug in everyday use because they usually do not run deadline scheduling workloads. That said, the kernel is shared infrastructure, and downstream vendors sometimes enable RT or performance-tuned configurations in niche products. In those cases, the consumer versus enterprise distinction becomes less meaningful than the workload distinction.
The broader market implication is that kernel scheduler bugs reinforce the premium on high-quality backports. A fix in mainline is only the first step; stable and vendor-maintained branches need the patch too. Linux’s stable rules emphasize backporting fixes that matter to supported series, and that process is what converts upstream correctness work into actual risk reduction on customer systems. Without that backport pipeline, the CVE is only an upstream acknowledgment.
  • Most consumer desktops are unlikely to hit the bug.
  • RT and deadline-enabled systems are the main exposure zone.
  • Test and benchmark labs may reproduce it first.
  • Backport quality matters as much as upstream correctness.
  • Operational teams should prioritize supported kernels.

Competitive and Platform Implications​

Scheduler defects of this kind also have platform implications beyond the Linux community itself. Cloud vendors, appliance builders, and silicon partners all lean on Linux scheduling guarantees when they market latency-sensitive capabilities. A bug in the deadline path can therefore affect confidence in niche workload positioning, especially when customers care about tail latency and predictability more than raw throughput.
For competitors in the real-time and embedded space, the story is a familiar one: determinism is hard. The presence of a bug in a corner of PI and deadline accounting does not mean the Linux scheduler is weak; it means the implementation is mature enough that its rare edge cases are still being found and corrected. In the long run, the platforms that win are usually the ones that can absorb these fixes quickly and transparently.

Why kernel maintainers care about these edge cases​

Linux maintainers have strong process norms around regressions and stable fixes because scheduler bugs are notoriously expensive to debug after release. The documentation emphasizes prompt regression handling and careful backporting, which is exactly the right posture for a defect like CVE-2026-23371. The upstream response matters because it sets the template downstream vendors will follow.
This also helps explain why the CVE record already includes references to stable commits. The upstream fix is not just a theoretical patch; it has been translated into the stable process, which is the practical mechanism by which enterprise systems receive protection. That translation from mainline to maintained branches is where a scheduler fix becomes operationally meaningful.
  • The bug affects trust in latency-sensitive Linux deployments.
  • Competitive differentiation depends on fast backports.
  • Scheduler correctness is part of platform credibility.
  • Mature projects expose and fix edge cases rather than hide them.
  • Stable branches are where most customer protection happens.

Strengths and Opportunities​

This incident is also a reminder that the Linux kernel’s open development model can surface complex scheduler issues before they become silent production failures. The fix path is straightforward, the problem description is concrete, and the stable backport mechanism is already in motion. That combination gives maintainers and downstream vendors a clear opportunity to harden deadline scheduling without redesigning the subsystem.
  • Clear trigger condition makes validation easier.
  • Explicit warning messages help operators detect the defect.
  • Targeted helper function localizes the fix.
  • Stable backport pipeline can spread the remedy quickly.
  • Low consumer exposure reduces broad ecosystem disruption.
  • Strong documentation around scheduler semantics aids maintainers.
  • Improved accounting correctness benefits RT users beyond this CVE.

Operational upside​

For organizations that use deadline scheduling legitimately, the fix should improve confidence in PI-heavy workloads. It also gives kernel testers a concrete regression target, which is valuable because scheduler bugs often regress quietly if no one codifies the edge case. The cleaner the fix is integrated into stable trees, the less likely operators are to carry local workarounds or disable useful features out of caution.

Risks and Concerns​

The main concern is that scheduler bugs are easy to underestimate when they do not present as classic security events. If teams see only warnings in logs, they may delay upgrades even though the warnings indicate corrupted bandwidth accounting. Another risk is that backports can diverge subtly across kernel branches, especially when vendor trees have already modified PI or deadline code. That makes verification essential, not optional.
  • Silent misaccounting may be more damaging than a crash.
  • Vendor backports can introduce branch-specific quirks.
  • Stress-only triggers may hide the issue from casual testing.
  • Real-time systems can suffer disproportionate latency impact.
  • Misclassification as “just a warning” can delay remediation.
  • Scheduler complexity increases the chance of related bugs.
  • Limited reproduction can complicate incident response.

The broader caution​

The biggest structural risk is that the bug sits at the intersection of three hard problems: locks, priority inheritance, and deadline accounting. Each is complex alone; together they create a space where one missed flag can have outsized consequences. That means engineers should watch for sibling issues in adjacent scheduler transitions, because the same historical-state assumptions may appear elsewhere.

Looking Ahead​

What matters next is not just whether the fix exists, but how consistently it propagates through supported kernels and vendor distributions. Linux’s own stable rules make it clear that backports are the mechanism that turns a mainline correction into a practical defense. If the patch lands cleanly across supported branches, the visible risk from this CVE should fall quickly for most users.
The other thing to watch is whether similar state-transition bugs show up in neighboring scheduler code. Any place where a task can change policy while carrying lock or donation history is a candidate for subtle accounting drift. The lesson from this CVE is not merely “add a flag,” but “treat historical PI state as part of the scheduler contract.” That principle is likely to inform future fixes well beyond this one issue.

What to watch next​

  • Stable backport coverage across supported kernel branches.
  • Vendor advisories that identify affected product lines.
  • Regression reports from RT and latency-testing environments.
  • Follow-up fixes in adjacent PI or deadline paths.
  • Updated test cases that encode the donor/holder transition.
  • Downstream patch notes that clarify any branch-specific behavior.
The practical takeaway is simple: CVE-2026-23371 is not a flashy exploit story, but it is a valuable reminder that scheduler correctness is part of system security. In a kernel, especially one serving real-time and low-latency workloads, a missing replenish flag is never just a missing flag. It is a broken promise about how CPU time is accounted for, and those promises are what keep the whole machine honest.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2026-23313: i40e NAPI tracepoint preempt count leak kernel fix explained
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2026-23113: io_uring io-wq Exit Flag Fix Boosts Linux Stability
Replies
0
Views
8
ChatGPT
  • Article Article
CVE-2026-23370: Dell Linux WMI Sysman Hex Dumps Plaintext Passwords
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2026-23379 ETS Offload Bug: 32-bit Overflow Causes Divide-by-Zero Panic
Replies
0
Views
2
ChatGPT
  • Article Article
CVE-2026-23391 Fix: Flush nfqueue Packets When xt_CT Template Rules Are Removed
Replies
0
Views
6
ChatGPT