CVE-2025-39780 — OS Command Injection in Linux
Severity
5.5MEDIUMNVD
CISA8.8
EPSS
0.0%
top 97.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 11
Description
In the Linux kernel, the following vulnerability has been resolved:
sched/ext: Fix invalid task state transitions on class switch
When enabling a sched_ext scheduler, we may trigger invalid task state
transitions, resulting in warnings like the following (which can be
easily reproduced by running the hotplug selftest in a loop):
sched_ext: Invalid task state transition 0 -> 3 for fish[770]
WARNING: CPU: 18 PID: 787 at kernel/sched/ext.c:3862 scx_set_task_state+0x7c/0xc0
...
RIP: 0010:scx_set_…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages4 packages
▶CVEListV5linux/linuxa8532fac7b5d27b8d62008a89593dccb6f9786ef — 786f6314604b34c3e7de5f733f4e08e35c448a50+3
Patches
🔴Vulnerability Details
2OSV▶
CVE-2025-39780: In the Linux kernel, the following vulnerability has been resolved: sched/ext: Fix invalid task state transitions on class switch When enabling a sche↗2025-09-11
GHSA▶
GHSA-6rhw-qcc5-9qm4: In the Linux kernel, the following vulnerability has been resolved:
sched/ext: Fix invalid task state transitions on class switch
When enabling a sc↗2025-09-11