{ "affected": [ { "ranges": [ { "events": [ { "introduced": "2279f540ea7d05f22d2f0c4224319330228586bc" }, { "fixed": "ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3" }, { "fixed": "d658686a1331db3bb108ca079d76deb3208ed949" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "last_affected": "3cc3d77dc541181f97f1dc96d2977ef8359fd760" }, { "last_affected": "d2b65976bf1ae9d0d9dd5770cd01695559438309" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] }, { "package": { "ecosystem": "Linux", "name": "Kernel" }, "ranges": [ { "events": [ { "introduced": "5.10.0" }, { "fixed": "6.19.7" } ], "type": "ECOSYSTEM" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23371.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting\n\nRunning stress-ng --schedpolicy 0 on an RT kernel on a big machine\nmight lead to the following WARNINGs (edited).\n\n sched: DL de-boosted task PID 22725: REPLENISH flag missing\n\n WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8\n ... (running_bw underflow)\n Call trace:\n dequeue_task_dl+0x15c/0x1f8 (P)\n dequeue_task+0x80/0x168\n deactivate_task+0x24/0x50\n push_dl_task+0x264/0x2e0\n dl_task_timer+0x1b0/0x228\n __hrtimer_run_queues+0x188/0x378\n hrtimer_interrupt+0xfc/0x260\n ...\n\nThe problem is that when a SCHED_DEADLINE task (lock holder) is\nchanged to a lower priority class via sched_setscheduler(), it may\nfail to properly inherit the parameters of potential DEADLINE donors\nif it didn't already inherit them in the past (shorter deadline than\ndonor's at that time). This might lead to bandwidth accounting\ncorruption, as enqueue_task_dl() won't recognize the lock holder as\nboosted.\n\nThe scenario occurs when:\n1. A DEADLINE task (donor) blocks on a PI mutex held by another\n DEADLINE task (holder), but the holder doesn't inherit parameters\n (e.g., it already has a shorter deadline)\n2. sched_setscheduler() changes the holder from DEADLINE to a lower\n class while still holding the mutex\n3. The holder should now inherit DEADLINE parameters from the donor\n and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen\n\nFix the issue by introducing __setscheduler_dl_pi(), which detects when\na DEADLINE (proper or boosted) task gets setscheduled to a lower\npriority class. In case, the function makes the task inherit DEADLINE\nparameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to\nensure proper bandwidth accounting during the next enqueue operation.", "id": "CVE-2026-23371", "modified": "2026-04-01T23:08:18.325794078Z", "published": "2026-03-25T10:27:52.158Z", "references": [ { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d658686a1331db3bb108ca079d76deb3208ed949" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23371.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23371" } ], "schema_version": "1.7.3", "summary": "sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting" }