CVE-2026-43438

Published: 2026-05-08 15:16:56 | Last modified: 2026-05-12 14:10:27

HIGH CVSS 7.8

No EPSS data

Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Remove redundant css_put() in scx_cgroup_init()

The iterator css_for_each_descendant_pre() walks the cgroup hierarchy
under cgroup_lock(). It does not increment the reference counts on
yielded css structs.

According to the cgroup documentation, css_put() should only be used
to release a reference obtained via css_get() or css_tryget_online().
Since the iterator does not use either of these to acquire a reference,
calling css_put() in the error path of scx_cgroup_init() causes a
refcount underflow.

Remove the unbalanced css_put() to prevent a potential Use-After-Free
(UAF) vulnerability.

CVSS details

Severity: high
Score: 7.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON

{
    "cve": {
        "id": "CVE-2026-43438",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 7.8,
                        "attackVector": "LOCAL",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                        "integrityImpact": "HIGH",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "HIGH",
                        "privilegesRequired": "LOW",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 5.9,
                    "exploitabilityScore": 1.8
                }
            ]
        },
        "published": "2026-05-08T15:16:56.160",
        "references": [
            {
                "url": "https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b",
                "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
            },
            {
                "url": "https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473",
                "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
            },
            {
                "url": "https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd",
                "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
            },
            {
                "url": "https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6",
                "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
            }
        ],
        "vulnStatus": "Awaiting Analysis",
        "descriptions": [
            {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Remove redundant css_put() in scx_cgroup_init()\n\nThe iterator css_for_each_descendant_pre() walks the cgroup hierarchy\nunder cgroup_lock(). It does not increment the reference counts on\nyielded css structs.\n\nAccording to the cgroup documentation, css_put() should only be used\nto release a reference obtained via css_get() or css_tryget_online().\nSince the iterator does not use either of these to acquire a reference,\ncalling css_put() in the error path of scx_cgroup_init() causes a\nrefcount underflow.\n\nRemove the unbalanced css_put() to prevent a potential Use-After-Free\n(UAF) vulnerability."
            }
        ],
        "lastModified": "2026-05-12T14:10:27.343",
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
}