Linux Kernel: ENQUEUE_REPLENISH omitted on PI de-boost causes overflow
CVE-2026-23371 Published on March 25, 2026
sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
Running stress-ng --schedpolicy 0 on an RT kernel on a big machine
might lead to the following WARNINGs (edited).
sched: DL de-boosted task PID 22725: REPLENISH flag missing
WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8
... (running_bw underflow)
Call trace:
dequeue_task_dl+0x15c/0x1f8 (P)
dequeue_task+0x80/0x168
deactivate_task+0x24/0x50
push_dl_task+0x264/0x2e0
dl_task_timer+0x1b0/0x228
__hrtimer_run_queues+0x188/0x378
hrtimer_interrupt+0xfc/0x260
...
The problem is that when a SCHED_DEADLINE task (lock holder) is
changed to a lower priority class via sched_setscheduler(), it may
fail to properly inherit the parameters of potential DEADLINE donors
if it didn't already inherit them in the past (shorter deadline than
donor's at that time). This might lead to bandwidth accounting
corruption, as enqueue_task_dl() won't recognize the lock holder as
boosted.
The scenario occurs when:
1. A DEADLINE task (donor) blocks on a PI mutex held by another
DEADLINE task (holder), but the holder doesn't inherit parameters
(e.g., it already has a shorter deadline)
2. sched_setscheduler() changes the holder from DEADLINE to a lower
class while still holding the mutex
3. The holder should now inherit DEADLINE parameters from the donor
and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen
Fix the issue by introducing __setscheduler_dl_pi(), which detects when
a DEADLINE (proper or boosted) task gets setscheduled to a lower
priority class. In case, the function makes the task inherit DEADLINE
parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to
ensure proper bandwidth accounting during the next enqueue operation.
Products Associated with CVE-2026-23371
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 2279f540ea7d05f22d2f0c4224319330228586bc and below ba1c22924ddcc280672a2a06a9ca99ee3a1b92c3 is affected.
- Version 2279f540ea7d05f22d2f0c4224319330228586bc and below d658686a1331db3bb108ca079d76deb3208ed949 is affected.
- Version 3cc3d77dc541181f97f1dc96d2977ef8359fd760 is affected.
- Version d2b65976bf1ae9d0d9dd5770cd01695559438309 is affected.
- Version 5.10 is affected.
- Before 5.10 is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc3, <= * is unaffected.