{
  "threat_severity" : "Moderate",
  "public_date" : "2025-05-08T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash",
    "id" : "2365007",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2365007"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsched/eevdf: Fix se->slice being set to U64_MAX and resulting crash\nThere is a code path in dequeue_entities() that can set the slice of a\nsched_entity to U64_MAX, which sometimes results in a crash.\nThe offending case is when dequeue_entities() is called to dequeue a\ndelayed group entity, and then the entity's parent's dequeue is delayed.\nIn that case:\n1. In the if (entity_is_task(se)) else block at the beginning of\ndequeue_entities(), slice is set to\ncfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then\nit has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.\n2. The first for_each_sched_entity() loop dequeues the entity.\n3. If the entity was its parent's only child, then the next iteration\ntries to dequeue the parent.\n4. If the parent's dequeue needs to be delayed, then it breaks from the\nfirst for_each_sched_entity() loop _without updating slice_.\n5. The second for_each_sched_entity() loop sets the parent's ->slice to\nthe saved slice, which is still U64_MAX.\nThis throws off subsequent calculations with potentially catastrophic\nresults. A manifestation we saw in production was:\n6. In update_entity_lag(), se->slice is used to calculate limit, which\nends up as a huge negative number.\n7. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit\nis negative, vlag > limit, so se->vlag is set to the same huge\nnegative number.\n8. In place_entity(), se->vlag is scaled, which overflows and results in\nanother huge (positive or negative) number.\n9. The adjusted lag is subtracted from se->vruntime, which increases or\ndecreases se->vruntime by a huge number.\n10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which\nincorrectly returns false because the vruntime is so far from the\nother vruntimes on the queue, causing the\n(vruntime - cfs_rq->min_vruntime) * load calulation to overflow.\n11. Nothing appears to be eligible, so pick_eevdf() returns NULL.\n12. pick_next_entity() tries to dereference the return value of\npick_eevdf() and crashes.\nDumping the cfs_rq states from the core dumps with drgn showed tell-tale\nhuge vruntime ranges and bogus vlag values, and I also traced se->slice\nbeing set to U64_MAX on live systems (which was usually \"benign\" since\nthe rest of the runqueue needed to be in a particular state to crash).\nFix it in dequeue_entities() by always setting slice from the first\nnon-empty cfs_rq." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-37821\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37821\nhttps://lore.kernel.org/linux-cve-announce/2025050820-CVE-2025-37821-dbad@gregkh/T" ],
  "name" : "CVE-2025-37821",
  "csaw" : false
}