CVE-2026-45919
Description
In the Linux kernel, the following vulnerability has been resolved: sched/rt: Skip currently executing CPU in rto_next_cpu() CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed). However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts. The trigging scenario is as follows: cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <------------irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <-------------------------- atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 6.1.170-1 |
| debian | forky | fixed | 6.18.14-1 |
| debian | sid | fixed | 6.18.14-1 |
| debian | trixie | fixed | 6.12.85-1 |
| sles | affected | | |
| debian | bullseye | fixed | 5.10.257-1 |
References
- https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41
- https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3
- https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b
- https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07
- https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896
- https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250
- https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801
- https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e
- https://security-tracker.debian.org/tracker/CVE-2026-45919
- https://www.suse.com/security/cve/CVE-2026-45919.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.