VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40260

CVE-2025-40260

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix scx_enable() crash on helper kthread creation failure

A crash was observed when the sched_ext selftests runner was terminated with Ctrl+\ while test 15 was running:

NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 Call Trace: scx_enable.constprop.0+0x32c/0x12b0 (unreliable) bpf_struct_ops_link_create+0x18c/0x22c __sys_bpf+0x23f8/0x3044 sys_bpf+0x2c/0x6c system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec

kthread_run_worker() returns an ERR_PTR() on failure rather than NULL, but the current code in scx_alloc_and_add_sched() only checks for a NULL helper. Incase of failure on SIGQUIT, the error is not handled in scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an error pointer.

Error handling is fixed in scx_alloc_and_add_sched() to propagate PTR_ERR() into ret, so that scx_enable() jumps to the existing error path, avoiding random dereference on failure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crash in Linux kernel's sched_ext due to missing error handling of kthread_run_worker() failure leads to dereferencing an ERR_PTR.

Root

Cause

The vulnerability is a bug in the Linux kernel's sched_ext subsystem, where the function scx_alloc_and_add_sched() fails to properly handle errors from kthread_run_worker(). The function returns an ERR_PTR on failure, but the code only checks for NULL, leading to a crash when an error pointer is dereferenced in scx_enable().

Exploitation

Prerequisites

No special prerequisites are required; the crash can be triggered by sending a SIGQUIT signal to the sched_ext selftests runner while test 15 is running. This causes the helper kthread creation to fail, and the kernel then attempts to dereference the invalid error pointer, resulting in a system crash.

Impact

An attacker with the ability to trigger the crash (e.g., by sending SIGQUIT from within a container or user namespace where sched_ext is in use) can cause a denial of service via kernel panic. The crash trace shows a dereference at scx_enable.constprop.0+0x358/0x12b0 [1].

Mitigation

The fix is included in commit [1] upstream, which changes the error handling to propagate the error via PTR_ERR(), allowing scx_enable() to jump to the existing error path instead of dereferencing an invalid pointer. Users should update to a kernel containing this patch.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

2
625e173e2a59
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
7b6216baae75
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.