{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43438","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:56.009Z","datePublished":"2026-05-08T14:22:07.980Z","dateUpdated":"2026-05-11T22:24:35.627Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:24:35.627Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Remove redundant css_put() in scx_cgroup_init()\n\nThe iterator css_for_each_descendant_pre() walks the cgroup hierarchy\nunder cgroup_lock(). It does not increment the reference counts on\nyielded css structs.\n\nAccording to the cgroup documentation, css_put() should only be used\nto release a reference obtained via css_get() or css_tryget_online().\nSince the iterator does not use either of these to acquire a reference,\ncalling css_put() in the error path of scx_cgroup_init() causes a\nrefcount underflow.\n\nRemove the unbalanced css_put() to prevent a potential Use-After-Free\n(UAF) vulnerability."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/sched/ext.c"],"versions":[{"version":"8195136669661fdfe54e9a8923c33b31c92fc1da","lessThan":"cc095cd305fddbe25a968e4a78436ff9476cf0f6","status":"affected","versionType":"git"},{"version":"8195136669661fdfe54e9a8923c33b31c92fc1da","lessThan":"6eaaa67d6998f6c30c462b140db8c062e07ec473","status":"affected","versionType":"git"},{"version":"8195136669661fdfe54e9a8923c33b31c92fc1da","lessThan":"bf50f3285eda8a0173625fcdb5f183f96e1008cd","status":"affected","versionType":"git"},{"version":"8195136669661fdfe54e9a8923c33b31c92fc1da","lessThan":"1336b579f6079fb8520be03624fcd9ba443c930b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/sched/ext.c"],"versions":[{"version":"6.12","status":"affected"},{"version":"0","lessThan":"6.12","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.18.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.19.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6"},{"url":"https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473"},{"url":"https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd"},{"url":"https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b"}],"title":"sched_ext: Remove redundant css_put() in scx_cgroup_init()","x_generator":{"engine":"bippy-1.2.0"}}}}