HOMEVULNERABILITIESCVE-2026-43326
NONE

CVE-2026-43326

Published: May 8, 2026· Updated: May 12, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback

SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using

smp_cond_load_acquire() until the target CPU's kick_sync advances. Because

the irq_work runs in hardirq context, the waiting CPU cannot reschedule and

its own kick_sync never advances. If multiple CPUs form a wait cycle, all

CPUs deadlock.

Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to

force the CPU through do_pick_task_scx(), which queues a balance callback

to perform the wait. The balance callback drops the rq lock and enables

IRQs following the sched_core_balance() pattern, so the CPU can process

IPIs while waiting. The local CPU's kick_sync is advanced on entry to

do_pick_task_scx() and continuously during the wait, ensuring any CPU that

starts waiting for us sees the advancement and cannot form cyclic

dependencies.

NVD Source

Technical Analysis

CVE-2026-43326 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-43326
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 8, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43326 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.