CVE-2025-21771: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix incorrect autogroup migration detection scx_move_task() is called from sched_move_task() and tells the BPF scheduler that cgroup migration is being committed. sched_move_task() is used by both cgroup and autogroup migrations and scx_move_task() tried to filter out autogroup migrations by testing the destination cgroup and PF_EXITING but this is not enough. In fact, without explicitly tagging the thread which is doing the cgroup migration, there is no good way to tell apart scx_move_task() invocations for racing migration to the root cgroup and an autogroup migration. This led to scx_move_task() incorrectly ignoring a migration from non-root cgroup to an autogroup of the root cgroup triggering the following warning: WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340 ... Call Trace: <TASK> cgroup_migrate_execute+0x5b1/0x700 cgroup_attach_task+0x296/0x400 __cgroup_procs_write+0x128/0x140 cgroup_procs_write+0x17/0x30 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x31d/0x4a0 __x64_sys_write+0x72/0xf0 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by adding an argument to sched_move_task() that indicates whether the moving is for a cgroup or autogroup migration. After the change, scx_move_task() is called only for cgroup migrations and renamed to scx_cgroup_move_task().
AI Analysis
Technical Summary
CVE-2025-21771 is a vulnerability identified in the Linux kernel's scheduler extension (sched_ext) subsystem, specifically related to the handling of task migration between control groups (cgroups) and autogroups. The vulnerability arises from incorrect detection logic in the function scx_move_task(), which is invoked by sched_move_task() to notify the BPF scheduler about cgroup migrations. The original implementation attempted to differentiate between cgroup migrations and autogroup migrations by checking the destination cgroup and the PF_EXITING flag. However, this method was insufficient, leading to scenarios where migrations from a non-root cgroup to an autogroup of the root cgroup were improperly ignored. This incorrect handling triggered kernel warnings and could potentially lead to inconsistent scheduler state or unexpected behavior during task migration. The root cause was the lack of explicit tagging to distinguish the thread performing the cgroup migration, making it impossible to reliably differentiate between racing migrations to the root cgroup and autogroup migrations. The fix involved modifying sched_move_task() to include an additional argument explicitly indicating whether the migration is for a cgroup or autogroup, and renaming scx_move_task() to scx_cgroup_move_task() to clarify its scope. This change ensures that scx_cgroup_move_task() is only called for cgroup migrations, preventing the previous misclassification and associated warnings. While no known exploits are reported in the wild, the vulnerability affects the Linux kernel scheduler's internal migration logic, which is critical for process management and resource allocation in Linux-based systems.
Potential Impact
For European organizations, the impact of CVE-2025-21771 primarily concerns the stability and reliability of Linux-based systems, which are widely used across various sectors including finance, telecommunications, government infrastructure, and cloud services. Incorrect handling of task migrations between cgroups and autogroups could lead to kernel warnings and potentially unstable scheduler behavior, which might degrade system performance or cause unexpected process scheduling anomalies. Although no direct evidence suggests this vulnerability leads to privilege escalation or remote code execution, the kernel warnings and scheduler inconsistencies could be leveraged in complex attack chains or cause denial-of-service conditions if exploited in conjunction with other vulnerabilities. Organizations relying heavily on containerization, cgroup-based resource management, or BPF-based monitoring and security tools may experience disruptions or reduced effectiveness of these mechanisms. Given the Linux kernel's central role in server and cloud infrastructure, any instability could impact service availability and operational continuity, especially in critical sectors such as finance and public administration.
Mitigation Recommendations
To mitigate CVE-2025-21771, European organizations should promptly apply the official Linux kernel patches that address this vulnerability, ensuring that the updated sched_move_task() function includes the migration type argument and that scx_move_task() is replaced by scx_cgroup_move_task(). System administrators should verify that their Linux distributions have incorporated this fix, particularly in kernels used in production environments. Additionally, organizations should monitor kernel logs for warnings related to scx_cgroup_can_attach or similar scheduler messages that might indicate unresolved migration issues. For environments utilizing BPF-based schedulers or cgroup/autogroup resource management, thorough testing should be conducted post-patch to confirm stable task migration behavior. It is also advisable to maintain up-to-date kernel versions and subscribe to vendor security advisories to receive timely updates. Where feasible, implement kernel live patching solutions to minimize downtime during patch deployment. Finally, organizations should review their incident response and monitoring capabilities to detect any abnormal scheduler behavior that could signal exploitation attempts or system instability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21771: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix incorrect autogroup migration detection scx_move_task() is called from sched_move_task() and tells the BPF scheduler that cgroup migration is being committed. sched_move_task() is used by both cgroup and autogroup migrations and scx_move_task() tried to filter out autogroup migrations by testing the destination cgroup and PF_EXITING but this is not enough. In fact, without explicitly tagging the thread which is doing the cgroup migration, there is no good way to tell apart scx_move_task() invocations for racing migration to the root cgroup and an autogroup migration. This led to scx_move_task() incorrectly ignoring a migration from non-root cgroup to an autogroup of the root cgroup triggering the following warning: WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340 ... Call Trace: <TASK> cgroup_migrate_execute+0x5b1/0x700 cgroup_attach_task+0x296/0x400 __cgroup_procs_write+0x128/0x140 cgroup_procs_write+0x17/0x30 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x31d/0x4a0 __x64_sys_write+0x72/0xf0 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it by adding an argument to sched_move_task() that indicates whether the moving is for a cgroup or autogroup migration. After the change, scx_move_task() is called only for cgroup migrations and renamed to scx_cgroup_move_task().
AI-Powered Analysis
Technical Analysis
CVE-2025-21771 is a vulnerability identified in the Linux kernel's scheduler extension (sched_ext) subsystem, specifically related to the handling of task migration between control groups (cgroups) and autogroups. The vulnerability arises from incorrect detection logic in the function scx_move_task(), which is invoked by sched_move_task() to notify the BPF scheduler about cgroup migrations. The original implementation attempted to differentiate between cgroup migrations and autogroup migrations by checking the destination cgroup and the PF_EXITING flag. However, this method was insufficient, leading to scenarios where migrations from a non-root cgroup to an autogroup of the root cgroup were improperly ignored. This incorrect handling triggered kernel warnings and could potentially lead to inconsistent scheduler state or unexpected behavior during task migration. The root cause was the lack of explicit tagging to distinguish the thread performing the cgroup migration, making it impossible to reliably differentiate between racing migrations to the root cgroup and autogroup migrations. The fix involved modifying sched_move_task() to include an additional argument explicitly indicating whether the migration is for a cgroup or autogroup, and renaming scx_move_task() to scx_cgroup_move_task() to clarify its scope. This change ensures that scx_cgroup_move_task() is only called for cgroup migrations, preventing the previous misclassification and associated warnings. While no known exploits are reported in the wild, the vulnerability affects the Linux kernel scheduler's internal migration logic, which is critical for process management and resource allocation in Linux-based systems.
Potential Impact
For European organizations, the impact of CVE-2025-21771 primarily concerns the stability and reliability of Linux-based systems, which are widely used across various sectors including finance, telecommunications, government infrastructure, and cloud services. Incorrect handling of task migrations between cgroups and autogroups could lead to kernel warnings and potentially unstable scheduler behavior, which might degrade system performance or cause unexpected process scheduling anomalies. Although no direct evidence suggests this vulnerability leads to privilege escalation or remote code execution, the kernel warnings and scheduler inconsistencies could be leveraged in complex attack chains or cause denial-of-service conditions if exploited in conjunction with other vulnerabilities. Organizations relying heavily on containerization, cgroup-based resource management, or BPF-based monitoring and security tools may experience disruptions or reduced effectiveness of these mechanisms. Given the Linux kernel's central role in server and cloud infrastructure, any instability could impact service availability and operational continuity, especially in critical sectors such as finance and public administration.
Mitigation Recommendations
To mitigate CVE-2025-21771, European organizations should promptly apply the official Linux kernel patches that address this vulnerability, ensuring that the updated sched_move_task() function includes the migration type argument and that scx_move_task() is replaced by scx_cgroup_move_task(). System administrators should verify that their Linux distributions have incorporated this fix, particularly in kernels used in production environments. Additionally, organizations should monitor kernel logs for warnings related to scx_cgroup_can_attach or similar scheduler messages that might indicate unresolved migration issues. For environments utilizing BPF-based schedulers or cgroup/autogroup resource management, thorough testing should be conducted post-patch to confirm stable task migration behavior. It is also advisable to maintain up-to-date kernel versions and subscribe to vendor security advisories to receive timely updates. Where feasible, implement kernel live patching solutions to minimize downtime during patch deployment. Finally, organizations should review their incident response and monitoring capabilities to detect any abnormal scheduler behavior that could signal exploitation attempts or system instability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.762Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8768
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:56:49 AM
Last updated: 8/12/2025, 9:25:52 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.