HarborGuard / CVE
Back to search
HIGHCVE-2026-46154Published Modified CNA Linux

CVE-2026-46154: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters

In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free (UAF) vulnerability exists in the Linux kernel's extensible CPU scheduler (sched_ext) subsystem, specifically in cgroup weight, idle, and bandwidth setter functions. The flaw is reachable locally by a low-privileged user but requires a precise race window between a scheduler being disabled and a new one being enabled, placing it in the high-complexity category. Successful exploitation gives an attacker full read, write, and crash capability over the affected kernel context. A patched-image rebuild is available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel feeds and NVD within minutes of publication and matched against all customer images, including custom-built images that package affected kernel versions. Any image layer carrying a Linux kernel build in the vulnerable version range is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.0 (HIGH) and weighting it further against each environment's compliance policy to reflect local risk tolerance. Routed findings land in the appropriate team inbox inside each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting fix versions 6.18.32, 7.0.7, or the 7.1-rc2 line becomes available on HarborGuard once the upstream fix is confirmed in the image's base layer. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required.

  • AuthenticationRequired

    A low-privilege local account is sufficient to trigger the race condition in the cgroup setter paths.

  • Victim interactionNot required

    No user interaction is needed; the attacker exploits the race entirely through their own process.

  • Attack complexityDetail

    Exploitation requires precise timing to win a race between a scheduler being torn down via RCU and a replacement being enabled, making reliable triggering dependent on environmental conditions.

Blast Radius

  • A successful attacker can read arbitrary kernel memory, exposing sensitive data such as credentials, keys, or scheduler state held in the freed scheduler object.
  • The attacker can corrupt or overwrite kernel memory through the dangling pointer, allowing modification of scheduler structures or other kernel data.
  • Dereferencing the freed pointer can crash the kernel entirely, taking down the host and all workloads running on it.
  • Because impact spans confidentiality, integrity, and availability at the kernel level, container isolation boundaries on the same host are at risk of being bypassed.

How HarborGuard Handles This

Available on HarborGuard: detection fires as soon as the CVE record is ingested, matching any image that packages an affected kernel version against the fix boundaries at 6.18.32, 7.0.7, or commit 0f54f6355575971673d8aac7da107ec4178e45bd. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the patched version, execute a regression run, and open a PR against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated inbox with CVSS score, affected image list, and recommended fix version attached. Because this is a local privilege-escalation-class kernel bug, customers without an immediate patching path should consider restricting cgroup write permissions to privileged containers only and auditing which workloads run with elevated Linux capabilities on affected kernel versions.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

00f54f6355575971673d8aac7da107ec4178e45bd6.18.327.0.77.1-rc280afd4c84bc8f5e80145ce35279f5ce53f6043dbce9aaa3af445c391735c9d000c4db60dfd5640d4
Affected packages
  • Linux / Linux
    < ce9aaa3af445c391735c9d000c4db60dfd5640d4 (from a5bd6ba30b3364354269b81ac55c2edca9a96d6d) · < 0f54f6355575971673d8aac7da107ec4178e45bd (from a5bd6ba30b3364354269b81ac55c2edca9a96d6d) · < 80afd4c84bc8f5e80145ce35279f5ce53f6043db (from a5bd6ba30b3364354269b81ac55c2edca9a96d6d)
  • Linux / Linux
    6.18
    Fixed in 0, 6.18.32, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References