Skip to main content

Linux Kernel CVE-2026-46047

| EUVDEUVD-2026-32429 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g5x6-jrf2-h8qv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local AF_QIPCRTR socket access requires PR:L; race window between destroy_workqueue and sock_release makes AC:H; successful UAF yields full kernel C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:09 vuln.today
CVSS changed
Jun 16, 2026 - 15:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Fix use-after-free in driver remove()

In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue.

Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced.

Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback.

AnalysisAI

Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.

Technical ContextAI

QRTR is the Qualcomm IPC Router socket family (net/qrtr) used to communicate with modem and other remote processors on Qualcomm SoCs; the name service (qrtr_ns) maintains lookup state via a workqueue driven by socket data-ready callbacks. The bug is a classic CWE-416 Use-After-Free triggered by a race between the socket receive path and module/driver removal: destroy_workqueue() is called while qrtr_ns_data_ready() can still fire from a packet RX softirq, queuing work onto freed structures. The patch saves the original sk_data_ready in qrtr_ns_init() and restores it at the very start of remove() before draining RX threads and tearing down the workqueue, closing the race window.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or later) per the stable-tree commits at https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4 and the sibling commits 2e127ceb, 7809fea2, db3c60ec, f96779e9, 4ae0bd51, 65168712, and dff081c3. For systems that cannot be rebooted immediately, blacklist the qrtr and qrtr-ns kernel modules where they are not functionally required (echo 'blacklist qrtr' and 'blacklist qrtr-ns' into /etc/modprobe.d/) - the trade-off is loss of Qualcomm IPC Router communication, which on non-Qualcomm hardware is no-op but on Qualcomm SoCs will break modem, GPS, and remote-processor messaging. Additionally restrict local shell access on Qualcomm-based devices and avoid runtime unbind/rmmod of qrtr while the system is in use, since the race is in the driver remove path.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy