Overview
CVE-2025-40260 describes a vulnerability in the Linux kernel’s sched_ext subsystem. This issue could lead to a kernel crash if the creation of a helper kthread fails during the scx_enable() process. This article provides a detailed overview of the vulnerability, its potential impact, and the steps taken to mitigate it.
Technical Details
The vulnerability arises within the scx_enable() function, specifically when the kernel attempts to allocate and add a scheduler. The kthread_run_worker() function, used to create the helper kthread, returns an error pointer (ERR_PTR()) upon failure, rather than NULL. The original code only checked for a NULL return value. If the kthread creation failed, for example, due to a signal like SIGQUIT, the scx_alloc_and_add_sched() function would not properly handle the error, leading to scx_enable() dereferencing an invalid memory address (the error pointer) and causing a kernel crash.
The fix involves updating scx_alloc_and_add_sched() to correctly handle the ERR_PTR() return value. Instead of just checking for NULL, the function now propagates the PTR_ERR() value into the return variable (ret). This ensures that scx_enable() recognizes the error and jumps to the existing error handling path, preventing the invalid memory dereference.
The vulnerability was discovered during sched_ext selftests, specifically when the test runner was terminated using Ctrl+\ during test 15. The crash manifested as a kernel panic with a backtrace indicating the invalid memory access within scx_enable.
CVSS Analysis
Currently, a CVSS score is not available (N/A) for this vulnerability. While a kernel crash is a serious issue, the specific conditions required to trigger it (failure during kthread creation within sched_ext, likely during specific test scenarios or resource exhaustion) suggest a lower exploitability. However, given the potential for a denial-of-service condition (kernel crash), it should be treated with appropriate concern.
Possible Impact
The primary impact of this vulnerability is a potential denial-of-service (DoS) condition. If an attacker can trigger the conditions that lead to helper kthread creation failure within the sched_ext subsystem, they could potentially crash the kernel, rendering the system unavailable. This could be achieved, for example, by exploiting resource limitations or sending specific signals at a critical time.
Mitigation or Patch Steps
The vulnerability is resolved by applying the patch referenced below. Users are advised to update their Linux kernel to a version that includes the fix. Distributions that backport security fixes will likely include this fix in a future update. Check your distribution’s security advisories for more information.
