CVE-2025-37821: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's EEVDF (Energy-Efficient Virtual Deadline First) scheduler component was discovered and assigned CVE-2025-37821 on May 8, 2025. The issue resides in the dequeueentities() function where a code path can incorrectly set the slice of a schedentity to U64_MAX, potentially resulting in system crashes (NVD, Wiz).

The vulnerability occurs in a specific scenario when dequeueentities() is called to dequeue a delayed group entity and the entity's parent's dequeue is delayed. The issue manifests in the entityistask(se) else block where slice is set to cfsrqminslice(groupcfsrq(se)). For delayed entities with no queued tasks, cfsrqminslice() returns U64MAX. This value propagates through subsequent calculations, leading to incorrect vruntime calculations and potential system crashes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When exploited, this vulnerability can lead to system crashes through a chain of events including incorrect vruntime calculations, huge negative or positive lag values, and eventual NULL pointer dereference in picknextentity(). The issue affects the stability and reliability of systems using the EEVDF scheduler (Wiz).

The issue has been fixed by modifying dequeueentities() to always set slice from the first non-empty cfsrq. System administrators are advised to apply the latest kernel updates that include this fix (NVD).