Skip to main content

Linux Kernel QAIC EUVDEUVD-2026-26606

| CVE-2026-43007 HIGH
Double Free (CWE-415)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 23:00 vuln.today
CVSS changed
May 07, 2026 - 20:37 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26606
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/qaic: Handle DBC deactivation if the owner went away

When a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV transaction to the host over the QAIC_CONTROL MHI channel. QAIC handles this by calling decode_deactivate() to release the resources allocated for that DBC. Since that handling is done in the qaic_manage_ioctl() context, if the user goes away before receiving and handling the deactivation, the host will be out-of-sync with the DBCs available for use, and the DBC resources will not be freed unless the device is removed. If another user loads and requests to activate a network, then the device assigns the same DBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false, leading the user process to hang.

As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions that are received after the user has gone away.

AnalysisAI

A use-after-free resource management flaw in the Linux kernel's Qualcomm AI accelerator (QAIC) driver allows local authenticated users to cause denial of service and potentially escalate privileges. When a DBC (Device Binding Context) owner process terminates before handling device-initiated deactivation messages, the kernel fails to release DBC resources, causing subsequent activation attempts to hang indefinitely and creating exploitable resource state inconsistencies. The vulnerability affects Linux kernel versions 6.4 through 6.19.12, with vendor patches available across multiple stable branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC has been identified.

Technical ContextAI

This vulnerability exists in the QAIC (Qualcomm AI accelerator) driver's MHI (Modem Host Interface) channel handler, specifically in the processing of QAIC_TRANS_DEACTIVATE_FROM_DEV transactions sent over the QAIC_CONTROL channel. The underlying issue is a CWE-415 double-free or use-after-free condition in DBC resource lifecycle management. When the device sends a deactivation message but the userspace process that owns the DBC has already terminated, the qaic_manage_ioctl() context cannot execute decode_deactivate() to properly release allocated resources. This creates an orphaned DBC in an inconsistent state where the device believes it's inactive but the host driver still tracks it as allocated. The dbc->in_use semaphore becomes permanently locked, causing any subsequent network activation request that reuses the same DBC identifier to block indefinitely waiting for the flag to clear. The CPE data identifies this as affecting the Linux kernel's QAIC acceleration subsystem introduced in version 6.4, with the vulnerable code path existing from commit 129776ac2e38231fa9c02ce20e116c99de291666 forward until patched.

RemediationAI

Apply vendor-released kernel updates to patched versions: upgrade to Linux kernel 6.6.134 or later for 6.6.x series, 6.12.81 or later for 6.12.x series, 6.18.22 or later for 6.18.x series, 6.19.12 or later for 6.19.x series, or 7.0 or later for mainline kernels. Patches are available from the official Linux kernel stable repository at the URLs listed in references. For environments unable to immediately patch, implement compensating controls: restrict local user access to systems with QAIC hardware to trusted administrators only via PAM configuration or SELinux/AppArmor policies targeting the qaic device nodes in /dev, monitor for hung processes waiting on QAIC DBC resources using process state monitoring (processes in D state interacting with /dev/accel/accel*), and implement resource limits via cgroups to prevent single users from exhausting all DBC contexts. Note that restricting access to QAIC devices will prevent legitimate AI workload execution by non-privileged users, requiring workflow adjustments. Kernel module blacklisting (blacklist qaic in /etc/modprobe.d/) prevents the vulnerability but disables all AI acceleration functionality. Restarting systems after applying kernel updates is required as this is a kernel driver fix that cannot be hot-patched.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy