VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 7, 2026

CVE-2026-31733

CVE-2026-31733

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix stale direct dispatch state in ddsp_dsq_id

@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a spurious warning in mark_direct_dispatch() when the next wakeup's ops.select_cpu() calls scx_bpf_dsq_insert(), such as:

WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140

The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict.

Fix it by clearing it at the right places:

- direct_dispatch(): cache the direct dispatch state in local variables and clear it before dispatch_enqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until process_ddsp_deferred_locals() consumes them.

- process_ddsp_deferred_locals(): cache the dispatch state in local variables and clear it before calling dispatch_to_local_dsq(), which may migrate the task to another rq.

- do_enqueue_task(): clear the dispatch state on the enqueue path (local/global/bypass fallbacks), where the direct dispatch verdict is ignored.

- dequeue_task_scx(): clear the dispatch state after dispatch_dequeue() to handle both the deferred dispatch cancellation and the holding_cpu race, covering all cases where a pending direct dispatch is cancelled.

- scx_disable_task(): clear the direct dispatch state when transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.select_cpu() and then been queued on a wake_list via ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such tasks are not on the runqueue and are not iterated by scx_bypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARN_ON_ONCE() in mark_direct_dispatch().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stale direct dispatch state in the Linux kernel's sched_ext scheduler can trigger a spurious warning and potentially cause incorrect task scheduling.

Vulnerability

Analysis

CVE-2026-31733 is a vulnerability in the Linux kernel's sched_ext (sched_ext) scheduler component. The root cause is that the p->scx.ddsp_dsq_id field, which tracks a direct dispatch verdict, can remain set (non-SCX_DSQ_INVALID) after a direct dispatch is consumed or cancelled, leading to a spurious warning in mark_direct_dispatch() when the next wakeup's ops.select_cpu() calls scx_bpf_dsq_insert() [1]. The field was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict [1].

Exploitation and

Impact

The vulnerability can be triggered during task wakeup operations when the sched_ext scheduler's ops.select_cpu() function uses scx_bpf_dsq_insert(). An attacker with local access and the ability to influence task scheduling (e.g., through cgroup or sched_ext operations) could potentially cause a kernel warning, leading to a denial of service (system instability or crash). The CVSS v3 score of 5.5 (Medium) reflects the requirement for local access and the potential for system disruption [1].

Mitigation

The fix involves clearing ddsp_dsq_id in several additional code paths: direct_dispatch(), process_ddsp_deferred_locals(), do_enqueue_task(), dequeue_task_scx(), and scx_disable_task() [1]. This ensures the stale state is properly cleaned up in all scenarios. The patch has been applied to the Linux kernel stable tree [1][2][3][4]. Users should update to a kernel version containing the fix (e.g., commit 7ea601daa0153e19cd1c6e6b300348c70c05fe77 or later) [1].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.12,<6.12.82
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.