CVE-2026-45919 (GCVE-0-2026-45919)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17
VLAI
Title
sched/rt: Skip currently executing CPU in rto_next_cpu()
Summary
In the Linux kernel, the following vulnerability has been resolved: sched/rt: Skip currently executing CPU in rto_next_cpu() CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed). However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts. The trigging scenario is as follows: cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <------------irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <-------------------------- atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < d57d0746276a88ea43a2cc62b849fd8a95e32e41 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 3b3c672a66db3de3b40f8a7057864bc1f874ede3 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 16ca9f3117e9a294646c897daf08a5ab546c711b (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 8ad5577b2d4acfd83f03d97a0aece2d18aac5f07 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < a6a73403733e86748421f2eeaf028c85683ef896 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 52aeb1e07ec223caf212f036817976c98d2aa250 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 9f25edc5a20cb52a5abbf25f0724bb4732b81801 (git)
Affected: 4bdced5c9a2922521e325896a7bbbf0132c94e56 , < 94894c9c477e53bcea052e075c53f89df3d2a33e (git)
Affected: cb1831a83e54cd3269a2420fce81c4fd8ae6f667 (git)
Affected: 1c37ff78298a6b6063649123356a312e1cce12ca (git)
Affected: f17c786b28a3060a566a170c2cf3bd7441fc30a3 (git)
Affected: 4.4.103 , < 4.5 (semver)
Affected: 4.9.66 , < 4.10 (semver)
Affected: 4.14.3 , < 4.15 (semver)
Create a notification for this product.
Linux Linux Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.10.252 , ≤ 5.10.* (semver)
Unaffected: 5.15.202 , ≤ 5.15.* (semver)
Unaffected: 6.1.165 , ≤ 6.1.* (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d57d0746276a88ea43a2cc62b849fd8a95e32e41",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "3b3c672a66db3de3b40f8a7057864bc1f874ede3",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "16ca9f3117e9a294646c897daf08a5ab546c711b",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "8ad5577b2d4acfd83f03d97a0aece2d18aac5f07",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "a6a73403733e86748421f2eeaf028c85683ef896",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "52aeb1e07ec223caf212f036817976c98d2aa250",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "9f25edc5a20cb52a5abbf25f0724bb4732b81801",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "lessThan": "94894c9c477e53bcea052e075c53f89df3d2a33e",
              "status": "affected",
              "version": "4bdced5c9a2922521e325896a7bbbf0132c94e56",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cb1831a83e54cd3269a2420fce81c4fd8ae6f667",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1c37ff78298a6b6063649123356a312e1cce12ca",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f17c786b28a3060a566a170c2cf3bd7441fc30a3",
              "versionType": "git"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.103",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.66",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/rt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.103",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.66",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/rt: Skip currently executing CPU in rto_next_cpu()\n\nCPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound\nRT task, and a CFS task stuck in kernel space. When other CPUs switch from\nRT to non-RT tasks, RT load balancing (LB) is triggered; with\nHAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution\nof rto_push_irq_work_func. During push_rt_task on CPU0,\nif next_task-\u003eprio \u003c rq-\u003edonor-\u003eprio, resched_curr() sets NEED_RESCHED\nand after the push operation completes, CPU0 calls rto_next_cpu().\nSince only CPU0 is overloaded in this scenario, rto_next_cpu() should\nideally return -1 (no further IPI needed).\n\nHowever, multiple CPUs invoking tell_cpu_to_push() during LB increments\nrd-\u003erto_loop_next. Even when rd-\u003erto_cpu is set to -1, the mismatch between\nrd-\u003erto_loop and rd-\u003erto_loop_next forces rto_next_cpu() to restart its\nsearch from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory\n\u0026\u0026 rt_nr_total \u003e 1), it gets reselected, causing CPU0 to queue irq_work to\nitself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and\nother CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop,\nwhich triggers a CPU hardlockup due to continuous self-interrupts.\n\nThe trigging scenario is as follows:\n\n         cpu0                      cpu1                    cpu2\n                                pull_rt_task\n                              tell_cpu_to_push\n                 \u003c------------irq_work_queue_on\nrto_push_irq_work_func\n       push_rt_task\n    resched_curr(rq)                                   pull_rt_task\n    rto_next_cpu                                     tell_cpu_to_push\n                      \u003c-------------------------- atomic_inc(rto_loop_next)\nrd-\u003erto_loop != next\n     rto_next_cpu\n   irq_work_queue_on\nrto_push_irq_work_func\n\nFix redundant self-IPI by filtering the initiating CPU in rto_next_cpu().\nThis solution has been verified to effectively eliminate spurious self-IPIs\nand prevent CPU hardlockup scenarios."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:37.165Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3"
        },
        {
          "url": "https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896"
        },
        {
          "url": "https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801"
        },
        {
          "url": "https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e"
        }
      ],
      "title": "sched/rt: Skip currently executing CPU in rto_next_cpu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45919",
    "datePublished": "2026-05-27T12:17:37.165Z",
    "dateReserved": "2026-05-13T15:03:33.085Z",
    "dateUpdated": "2026-05-27T12:17:37.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45919",
      "date": "2026-05-29",
      "epss": "0.00024",
      "percentile": "0.07061"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45919\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:06.790\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/rt: Skip currently executing CPU in rto_next_cpu()\\n\\nCPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound\\nRT task, and a CFS task stuck in kernel space. When other CPUs switch from\\nRT to non-RT tasks, RT load balancing (LB) is triggered; with\\nHAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution\\nof rto_push_irq_work_func. During push_rt_task on CPU0,\\nif next_task-\u003eprio \u003c rq-\u003edonor-\u003eprio, resched_curr() sets NEED_RESCHED\\nand after the push operation completes, CPU0 calls rto_next_cpu().\\nSince only CPU0 is overloaded in this scenario, rto_next_cpu() should\\nideally return -1 (no further IPI needed).\\n\\nHowever, multiple CPUs invoking tell_cpu_to_push() during LB increments\\nrd-\u003erto_loop_next. Even when rd-\u003erto_cpu is set to -1, the mismatch between\\nrd-\u003erto_loop and rd-\u003erto_loop_next forces rto_next_cpu() to restart its\\nsearch from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory\\n\u0026\u0026 rt_nr_total \u003e 1), it gets reselected, causing CPU0 to queue irq_work to\\nitself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and\\nother CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop,\\nwhich triggers a CPU hardlockup due to continuous self-interrupts.\\n\\nThe trigging scenario is as follows:\\n\\n         cpu0                      cpu1                    cpu2\\n                                pull_rt_task\\n                              tell_cpu_to_push\\n                 \u003c------------irq_work_queue_on\\nrto_push_irq_work_func\\n       push_rt_task\\n    resched_curr(rq)                                   pull_rt_task\\n    rto_next_cpu                                     tell_cpu_to_push\\n                      \u003c-------------------------- atomic_inc(rto_loop_next)\\nrd-\u003erto_loop != next\\n     rto_next_cpu\\n   irq_work_queue_on\\nrto_push_irq_work_func\\n\\nFix redundant self-IPI by filtering the initiating CPU in rto_next_cpu().\\nThis solution has been verified to effectively eliminate spurious self-IPIs\\nand prevent CPU hardlockup scenarios.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.