Bug 2464428 (CVE-2026-31734) - CVE-2026-31734 kernel: sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU
Summary: CVE-2026-31734 kernel: sched_ext: Fix is_bpf_migration_disabled() false negat...
Keywords:
Status: NEW
Alias: CVE-2026-31734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:06 UTC by OSIDB Bzimport
Modified: 2026-05-01 21:24 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:06:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU

Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for
trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()
only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().
Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,
so migration_disabled == 1 always means the task is truly
migration-disabled regardless of whether it is the current task.

The old unconditional p == current check was a false negative in this
case, potentially allowing a migration-disabled task to be dispatched to
a remote CPU and triggering scx_error in task_can_run_on_remote_rq().

Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU is
enabled, where the ambiguity with the BPF prolog still exists.
Comment 1 Keith Grant 2026-05-01 21:22:28 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050137-CVE-2026-31734-da05@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.