CVE-2025-21771 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix incorrect autogroup migration detection
scx_move_task() is called from sched_move_task() and tells the BPF scheduler that cgroup migration is being committed. sched_move_task() is used by both cgroup and autogroup migrations and scx_move_task() tried to filter out autogroup migrations by testing the destination cgroup and PF_EXITING but this is not enough. In fact, without explicitly tagging the thread which is doing the cgroup migration, there is no good way to tell apart scx_move_task() invocations for racing migration to the root cgroup and an autogroup migration.
This led to scx_move_task() incorrectly ignoring a migration from non-root cgroup to an autogroup of the root cgroup triggering the following warning:
WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340 ... Call Trace: <TASK> cgroup_migrate_execute+0x5b1/0x700 cgroup_attach_task+0x296/0x400 __cgroup_procs_write+0x128/0x140 cgroup_procs_write+0x17/0x30 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x31d/0x4a0 __x64_sys_write+0x72/0xf0 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix it by adding an argument to sched_move_task() that indicates whether the moving is for a cgroup or autogroup migration. After the change, scx_move_task() is called only for cgroup migrations and renamed to scx_cgroup_move_task().
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability CVE-2025-21771 resides within the Linux kernel's scheduler extension subsystem, specifically affecting the scheduling class extension module known as scx. This flaw manifests in the incorrect handling of autogroup migration detection within the scheduling framework, creating a scenario where legitimate cgroup migration operations are misclassified and improperly processed. The issue impacts the kernel's ability to accurately distinguish between different types of cgroup movements, particularly when transitioning tasks between non-root cgroups and autogroups associated with the root cgroup.
The technical root cause lies in the scx_move_task() function implementation within the scheduler extension codebase. This function serves as an interface between the kernel's core scheduling logic and BPF-based schedulers, receiving notifications about cgroup migration operations. The original implementation attempted to differentiate between cgroup and autogroup migrations by examining the destination cgroup and checking for the PF_EXITING flag, but this heuristic proved insufficient for accurate detection. The fundamental problem stems from the lack of explicit tagging mechanisms to identify which thread is performing the cgroup migration, leading to ambiguous state detection in concurrent migration scenarios.
The operational impact of this vulnerability is significant within systems utilizing advanced scheduling extensions and complex cgroup configurations. When the scheduler incorrectly processes autogroup migrations, it can trigger kernel warnings and potentially disrupt normal scheduling behavior, affecting system stability and performance. The warning message indicates a kernel fault occurring at kernel/sched/ext.c line 3725 in the scx_cgroup_can_attach function, which suggests that the kernel's internal consistency checks have detected an unexpected state during migration operations. This condition can manifest during normal system operations when userspace processes attempt to move tasks between cgroups, particularly in environments with complex resource management policies.
The vulnerability's classification aligns with CWE-691, which addresses inadequate protection of code against uncontrolled recursion or improper control flow. The issue also relates to ATT&CK technique T1490, concerning execution through system binaries, as the vulnerability can be exploited through legitimate system operations that trigger the faulty migration code path. The fix implemented addresses this by introducing a new parameter to the sched_move_task() function to explicitly indicate whether the migration operation pertains to cgroup or autogroup movement, effectively resolving the ambiguity that led to incorrect processing.
The resolution involves a structural change to the scheduler extension interface by adding a new argument to the sched_move_task() function that explicitly identifies the migration type. This modification results in the function being renamed to scx_cgroup_move_task() to better reflect its restricted scope of operation, ensuring that it is only invoked for actual cgroup migrations rather than being overloaded to handle both cgroup and autogroup scenarios. This change aligns with security best practices by reducing the attack surface and eliminating ambiguous code paths that could lead to incorrect behavior, thereby strengthening the kernel's scheduling subsystem against potential exploitation through carefully crafted migration operations that might otherwise trigger the faulty logic.