Skip to main content

Linux Kernel CVE-2026-46038

| EUVDEUVD-2026-32419 MEDIUM
Memory Leak (CWE-401)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pc3v-mpgj-wxwq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges needed to send QRTR BYE packets; impact is memory exhaustion only, with no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:45 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Free the node during ctrl_cmd_bye()

A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak.

Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye().

AnalysisAI

Memory exhaustion in the Linux Kernel's QRTR (Qualcomm IPC Router) nameserver subsystem exposes local, low-privileged users to a denial-of-service condition. The ctrl_cmd_bye() function, triggered when a QRTR node sends a BYE shutdown packet, fails to remove the node from the Xarray structure or release the associated memory - resulting in a persistent kernel memory leak (CWE-401). Affected systems are Linux kernels from 5.7 through multiple stable branches, with fixes backported to 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.02% (5th percentile), indicating minimal real-world threat at this time.

Technical ContextAI

QRTR is a Linux kernel subsystem implementing a lightweight IPC (Inter-Process Communication) router for Qualcomm SoC components, primarily used in embedded, mobile, and IoT devices running Linux. The nameserver (net/qrtr/ns.c) maintains a registry of active nodes using an Xarray data structure. When a remote node sends a BYE control packet - signalling imminent shutdown - the function ctrl_cmd_bye() is responsible for advertising node removal to observers and cleaning up state. The defect (CWE-401: Missing Release of Memory after Effective Lifetime) is that this function neither removes the node entry from the Xarray nor frees the node object, in either success or failure paths. The fix applies across both paths to ensure deterministic cleanup. CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* covers all affected kernel versions beginning at the QRTR nameserver introduction commit 0c2204a4ad710d95d348ea006f14ba926e842ffd (circa Linux 5.7).

RemediationAI

Upgrade to one of the following patched Linux kernel versions: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1, each of which includes the backported fix for ctrl_cmd_bye() memory handling. Patch commits are publicly available via the kernel stable tree at https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6 (mainline), https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a (6.18), https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac (6.12), https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11 (6.6), and https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0 (7.0). As a compensating control on systems where patching is not immediately feasible, disabling the QRTR subsystem by setting CONFIG_QRTR=n at build time or blacklisting the qrtr kernel module ('modprobe -r qrtr') will eliminate the attack surface entirely, though this will break any IPC functionality dependent on Qualcomm QRTR transport.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy