HOMEVULNERABILITIESCVE-2026-23371
NONE

CVE-2026-23371

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.7th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting

Running stress-ng --schedpolicy 0 on an RT kernel on a big machine

might lead to the following WARNINGs (edited).

sched: DL de-boosted task PID 22725: REPLENISH flag missing

WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8

... (running_bw underflow)

Call trace:

dequeue_task_dl+0x15c/0x1f8 (P)

dequeue_task+0x80/0x168

deactivate_task+0x24/0x50

push_dl_task+0x264/0x2e0

dl_task_timer+0x1b0/0x228

__hrtimer_run_queues+0x188/0x378

hrtimer_interrupt+0xfc/0x260

...

The problem is that when a SCHED_DEADLINE task (lock holder) is

changed to a lower priority class via sched_setscheduler(), it may

fail to properly inherit the parameters of potential DEADLINE donors

if it didn't already inherit them in the past (shorter deadline than

donor's at that time). This might lead to bandwidth accounting

corruption, as enqueue_task_dl() won't recognize the lock holder as

boosted.

The scenario occurs when:

1. A DEADLINE task (donor) blocks on a PI mutex held by another

DEADLINE task (holder), but the holder doesn't inherit parameters

(e.g., it already has a shorter deadline)

2. sched_setscheduler() changes the holder from DEADLINE to a lower

class while still holding the mutex

3. The holder should now inherit DEADLINE parameters from the donor

and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen

Fix the issue by introducing __setscheduler_dl_pi(), which detects when

a DEADLINE (proper or boosted) task gets setscheduled to a lower

priority class. In case, the function makes the task inherit DEADLINE

parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to

ensure proper bandwidth accounting during the next enqueue operation.

NVD Source

Technical Analysis

CVE-2026-23371 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-23371
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23371 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.