VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 7, 2026

CVE-2026-31734

CVE-2026-31734

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable() only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate(). Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled, so migration_disabled == 1 always means the task is truly migration-disabled regardless of whether it is the current task.

The old unconditional p == current check was a false negative in this case, potentially allowing a migration-disabled task to be dispatched to a remote CPU and triggering scx_error in task_can_run_on_remote_rq().

Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is enabled, where the ambiguity with the BPF prolog still exists.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a false negative in is_bpf_migration_disabled() on non-PREEMPT_RCU kernels could allow migration-disabled tasks to be dispatched to remote CPUs, impacting scheduler reliability.

Vulnerability

A false negative in the is_bpf_migration_disabled() check within the Linux kernel's sched_ext subsystem could allow a migration-disabled task to be incorrectly considered as migratable. The root cause lies in the interaction with the BPF trampoline prolog: since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog calls migrate_disable() only when CONFIG_PREEMPT_RCU is enabled. Without CONFIG_PREEMPT_RCU, migration_disabled == 1 always indicates true migration-disabled status, but the old code unconditionally checked p == current, creating a false negative on non-PREEMPT_RCU configurations [1].

Exploitation

An attacker with local access and the ability to trigger scheduler operations could potentially leverage this bug to cause a migration-disabled task to be dispatched to a remote CPU. The vulnerability is triggered during scheduler decisions in task_can_run_on_remote_rq(), which may incorrectly allow a task that should not be migrated to be moved [1].

Impact

Successful exploitation could lead to a scx_error in task_can_run_on_remote_rq(), potentially causing system instability or denial of service. The impact is limited to systems running the sched_ext scheduler extension with BPF programs, and only on kernels built without CONFIG_PREEMPT_RCU [1].

Mitigation

The fix, applied in Linux kernel stable commits, ensures that the p == current disambiguation is only used when CONFIG_PREEMPT_RCU is enabled, eliminating the false negative. Users should update to a patched kernel version containing commits such as the one referenced in [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.18,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.