Skip to main content

Linux Kernel CVE-2026-43491

| EUVDEUVD-2026-30880 MEDIUM
2026-05-19 Linux GHSA-vfqf-4c37-r857
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector with low-privilege IPC access required; pure availability impact via memory exhaustion; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 19:26 vuln.today
CVSS changed
Jun 26, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 19, 2026 - 12:02 EUVD
CVE Published
May 19, 2026 - 10:44 nvd
MEDIUM 5.5
CVE Published
May 19, 2026 - 10:44 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Limit the maximum server registration per node

Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory.

Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don't restrict it as it will get replaced. While at it, also rate limit the error messages in the failure path of qrtr_ns_worker().

Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased.

AnalysisAI

Memory exhaustion in the Linux kernel's QRTR (Qualcomm IPC Router) namespace subsystem allows a local low-privileged attacker to crash the system by flooding NEW_SERVER registration messages without triggering any bound check. Affected systems are those running kernels between the introducing commit (0c2204a4ad710d95d348ea006f14ba926e842ffd) and the fix commits across stable branches. No public exploit code has been identified and EPSS sits at the 5th percentile, indicating minimal observed exploitation activity.

Technical ContextAI

The QRTR subsystem (net/qrtr/ns) provides IPC between components in Qualcomm SoC-based systems, commonly Android handsets and embedded platforms. The qrtr_ns_worker() function processes NEW_SERVER control messages that register service endpoints per node. Prior to the fix, no upper bound was enforced on how many server entries a single node could register, meaning repeated NEW_SERVER messages caused unbounded kernel heap growth until OOM killed processes or the system crashed. The root cause is a missing resource-exhaustion guard - consistent with CWE-770 (Allocation of Resources Without Limits or Throttling), though NVD lists CWE as N/A. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms this is a local, availability-only impact. The 'Information Disclosure' tag in the input appears to be a mislabeling; the vulnerability has no confidentiality impact per description or CVSS.

RemediationAI

The vendor-released patched versions are Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1; administrators should upgrade to the appropriate stable release for their branch as the primary fix. The upstream patch introduces a per-node server registration cap of 256 and adds rate-limiting to error messages in qrtr_ns_worker(). For systems that cannot be patched immediately and that load the QRTR module, the most actionable compensating control is to unload or blacklist the qrtr kernel module ('echo blacklist qrtr >> /etc/modprobe.d/blacklist-qrtr.conf' followed by an initramfs rebuild) - note this will break Qualcomm modem IPC and any dependent subsystem on affected hardware. On systems where QRTR is not required (most x86 servers), ensuring the module is not loaded provides full mitigation with no operational trade-off. Fix commit references are available at https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7 and related links.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

CVE-2026-43491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy