CVE-2025-39780 in Linuxinfo

Summary

by MITRE • 09/11/2025

In the Linux kernel, the following vulnerability has been resolved:

sched/ext: Fix invalid task state transitions on class switch

When enabling a sched_ext scheduler, we may trigger invalid task state transitions, resulting in warnings like the following (which can be easily reproduced by running the hotplug selftest in a loop):

sched_ext: Invalid task state transition 0 -> 3 for fish[770]
WARNING: CPU: 18 PID: 787 at kernel/sched/ext.c:3862 scx_set_task_state+0x7c/0xc0 ... RIP: 0010:scx_set_task_state+0x7c/0xc0 ... Call Trace: <TASK> scx_enable_task+0x11f/0x2e0 switching_to_scx+0x24/0x110 scx_enable.isra.0+0xd14/0x13d0 bpf_struct_ops_link_create+0x136/0x1a0 __sys_bpf+0x1edd/0x2c30 __x64_sys_bpf+0x21/0x30 do_syscall_64+0xbb/0x370 entry_SYSCALL_64_after_hwframe+0x77/0x7f

This happens because we skip initialization for tasks that are already dead (with their usage counter set to zero), but we don't exclude them during the scheduling class transition phase.

Fix this by also skipping dead tasks during class swiching, preventing invalid task state transitions.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/27/2025

The vulnerability identified as CVE-2025-39780 represents a critical issue within the Linux kernel's scheduling subsystem, specifically affecting the sched_ext scheduler implementation. This flaw manifests as invalid task state transitions that can lead to system instability and potential security implications. The vulnerability occurs during the process of enabling a sched_ext scheduler, where the kernel attempts to transition tasks between different scheduling classes while failing to properly account for tasks that have already been marked as dead or terminated. The issue is particularly concerning because it can be easily reproduced through automated testing procedures, making it a significant concern for production systems that rely on dynamic scheduling modifications.

The technical root cause of this vulnerability lies in the improper handling of task state management during scheduler class transitions. When the sched_ext scheduler is enabled, the kernel performs a check to skip initialization for tasks that are already dead, specifically those with their usage counter set to zero. However, this same logic fails to account for dead tasks during the scheduling class transition phase, leading to inconsistent state management. The flaw is particularly evident in the kernel's scheduling extension code at kernel/sched/ext.c line 3862, where the scx_set_task_state function encounters invalid state transitions from 0 (TASK_RUNNING) to 3 (TASK_INTERRUPTIBLE). This inconsistency creates a scenario where the kernel attempts to modify the state of already terminated processes, resulting in kernel warnings and potential system crashes.

The operational impact of this vulnerability extends beyond simple system warnings to potentially compromise system stability and security. When invalid task state transitions occur, they can trigger kernel panic conditions or lead to unpredictable behavior in the scheduling subsystem. The vulnerability is particularly dangerous in environments where dynamic scheduler modifications are common, such as containerized environments or systems implementing custom scheduling policies through BPF (Berkeley Packet Filter) extensions. The specific call trace shows the vulnerability propagates through multiple kernel functions including scx_enable_task, switching_to_scx, and ultimately through BPF system calls, indicating that the issue affects not just the core scheduler but also the broader kernel's BPF infrastructure. This creates a cascading effect that can destabilize systems relying on these advanced scheduling capabilities.

The fix for CVE-2025-39780 addresses the core issue by ensuring that dead tasks are properly excluded during scheduling class switching operations. This remediation aligns with established security practices for kernel development and follows the principle of least privilege by preventing operations on terminated processes. The solution directly addresses the scheduling class transition logic to include the same dead task exclusion that already exists for initialization phases. This fix prevents the invalid state transitions that were causing the kernel warnings and potential system instability. From a cybersecurity perspective, this vulnerability falls under the category of improper state management, which is classified as CWE-248 in the CWE database, representing an "Uncaught Exception" where the system fails to handle exceptional conditions properly. The remediation ensures that the scheduler maintains proper state consistency, preventing potential exploitation vectors that could arise from inconsistent task state management, particularly in environments where malicious actors might attempt to manipulate scheduling behavior through crafted BPF programs or other kernel interfaces.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00134

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!