Skip to main content

Linux Kernel CVE-2026-46026

| EUVDEUVD-2026-32407 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5wpx-pvcm-rf34
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only attack via QRTR socket requires standard user privileges (PR:L); impact is exclusively availability loss with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 16:09 vuln.today
CVSS changed
Jun 16, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Limit the maximum number of lookups

Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket.

Fix this issue by limiting the maximum number of lookups to 64 globally. Since the nameserver allows only atmost one local observer, this global lookup count will ensure that the lookups stay within the limit.

Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased.

AnalysisAI

Uncontrolled resource consumption in the Linux kernel's QRTR (Qualcomm IPC Router) nameserver module allows a local authenticated user to exhaust nameserver resources by flooding it with unbounded NEW_LOOKUP messages over a single socket. The affected subsystem (net/qrtr/ns) restricted lookups to local clients but imposed no count limit, enabling a sustained denial-of-service against QRTR-dependent inter-process communication on Qualcomm SoC platforms. No public exploit has been identified and EPSS stands at 0.02% (5th percentile), placing this firmly in the low real-world priority tier despite its High availability impact rating.

Technical ContextAI

The vulnerability resides in the QRTR nameserver module (net/qrtr/ns) of the Linux kernel - a subsystem used primarily on Qualcomm SoC platforms to broker inter-process communication between the application processor and modem via a publish/subscribe service registry. Clients submit NEW_LOOKUP messages to discover registered services; the nameserver processes each request without enforcing any bound on total outstanding lookups. The root cause is an uncontrolled resource consumption pattern (functionally equivalent to CWE-400), where the nameserver's acceptance of an arbitrary volume of requests from a single malicious local client could exhaust processing capacity. The fix introduces a global hard cap of 64 concurrent lookups, chosen to match current platform requirements. Affected products are scoped via CPE cpe:2.3:o:linux:linux_kernel across multiple stable branches, with the vulnerable behavior introduced at commit 0c2204a4ad710d95d348ea006f14ba926e842ffd. Note that the 'Information Disclosure' tag present in the source intelligence is inconsistent with the CVE description and the CVSS vector (C:N/I:N/A:H) and should be treated as a mis-tagging.

RemediationAI

Apply the vendor-released kernel stable patches targeting your deployed branch: upgrade to Linux 6.6.140 (commit 0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3 at https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3), Linux 6.12.86 (commit 20855cef7e659ef84ac73251256fa530819b2346 at https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346), Linux 6.18.27 (commit 5640227d9a21c6a8be249a10677b832e7f40dc55 at https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55), Linux 7.0.4 (commit 2b930bc77e00cb27e1d6e1d497b3b596283465ef at https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef), or Linux 7.1-rc1 (commit 76adf8f69b0bb3ab20be7c58f5d555027332d113 at https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113). Monitor distribution vendors (Red Hat, Ubuntu, Debian, etc.) for backported kernel packages and apply via standard patch management. As a compensating control on unpatched Qualcomm-based systems where QRTR is not operationally required, unload the module with 'modprobe -r qrtr' - however, on mobile or modem-integrated platforms this will break application-processor-to-modem IPC and may cause functional loss. Restricting local user privilege levels or isolating untrusted users via Linux namespaces reduces the attack surface without service disruption.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy