CVE-2026-46154

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters<br /> <br /> scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring<br /> scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs.<br /> If the loaded scheduler is disabled and freed (via RCU work) and another is<br /> enabled between the naked load and the rwsem acquire, the reader sees<br /> scx_cgroup_enabled=true (the new scheduler&amp;#39;s) but dereferences the freed one<br /> - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).<br /> <br /> scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write<br /> (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section<br /> correlates @sch with the enabled snapshot.