CVE-2025-37821: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's EEVDF (Energy-Efficient Virtual Deadline First) scheduler component was discovered and assigned CVE-2025-37821 on May 8, 2025. The issue resides in the dequeue_entities() function where a code path can incorrectly set the slice of a sched_entity to U64_MAX, potentially resulting in system crashes (NVD, Wiz).

The vulnerability occurs in a specific scenario when dequeue_entities() is called to dequeue a delayed group entity and the entity's parent's dequeue is delayed. The issue manifests in the entity_is_task(se) else block where slice is set to cfs_rq_min_slice(group_cfs_rq(se)). For delayed entities with no queued tasks, cfs_rq_min_slice() returns U64_MAX. This value propagates through subsequent calculations, leading to incorrect vruntime calculations and potential system crashes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When exploited, this vulnerability can lead to system crashes through a chain of events including incorrect vruntime calculations, huge negative or positive lag values, and eventual NULL pointer dereference in pick_next_entity(). The issue affects the stability and reliability of systems using the EEVDF scheduler (Wiz).

The issue has been fixed by modifying dequeue_entities() to always set slice from the first non-empty cfs_rq. System administrators are advised to apply the latest kernel updates that include this fix (NVD).