CVE-2025-37821: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability has been identified and resolved in the scheduler's EEVDF (Energy-Efficient Virtual Deadline First) component. The issue involves a code path in dequeueentities() that can incorrectly set the slice of a schedentity to U64_MAX, which sometimes results in a system crash. This vulnerability was assigned CVE-2025-37821 and was reported on May 8, 2025 (NVD).

The vulnerability occurs in a specific code path when dequeueentities() is called to dequeue a delayed group entity, and the entity's parent's dequeue is delayed. The issue manifests when the slice is set to cfsrqminslice(groupcfsrq(se)) in the entityistask(se) else block. If the entity was delayed with no queued tasks, cfsrqminslice() returns U64MAX. This value propagates through subsequent calculations, leading to incorrect vruntime calculations and potential system crashes (NVD).

When exploited, this vulnerability can lead to system crashes through a chain of events including incorrect vruntime calculations, huge negative or positive lag values, and eventual NULL pointer dereference in picknextentity(). The issue affects the stability and reliability of systems using the EEVDF scheduler (NVD).

The issue has been fixed by modifying dequeueentities() to always set slice from the first non-empty cfsrq. System administrators are advised to apply the latest kernel updates that include this fix (NVD).