Description
In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak

__radix_tree_create() allocates and links intermediate nodes into the
tree one by one. If a subsequent allocation fails, the already-linked
nodes remain in the tree with no corresponding leaf entry. These orphaned
internal nodes are never reclaimed because radix_tree_for_each_slot()
only visits slots containing leaf values.

The radix_tree API is deprecated in favor of xarray. As suggested by
Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead
of fixing the radix_tree itself [1]. xarray properly handles cleanup of
internal nodes — xa_destroy() frees all internal xarray nodes when the
qrtr_node is released, preventing the leak.

[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel's QRTR module, the qrtr_tx_flow subsystem originally used a radix_tree data structure to track flow control. When node allocation occurs, the creation routine links intermediate nodes into the tree one after another. If a subsequent allocation fails, the already linked intermediate nodes are left orphaned, with no associated leaf entry. Because the radix_tree traversal routine visits only slots containing leaf values, these orphan nodes are never reclaimed, causing a kernel memory leak. Persistent allocation failures can gradually consume kernel memory, potentially degrading performance or leading to a crash. The issue is remedied by replacing the radix_tree with an xarray, which properly frees internal nodes when the root structure is destroyed. The flaw is classified as CWE-772 and CWE-401.

Affected Systems

Any Linux kernel build that includes the QRTR module and has not applied the recent patch is affected. The vulnerability exists in kernels that still employ the legacy radix_tree implementation for qrtr_tx_flow, so it can be present across a wide range of distributions and kernel releases until the module is migrated to xarray. Systems that rely on QRTR for interprocess or Bluetooth communications are especially relevant.

Risk and Exploitability

The memory leak can only be triggered when the kernel allocates QRTR flow entries, requiring kernel or privileged context. No remote exploitation vector is described, and the EPSS score is < 1%, indicating a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation. The CVSS score is 5.5, indicating moderate severity, and the flaw is classified as CWE-772 and CWE-401. Nonetheless, a malicious user with sufficient privileges could force repeated allocation failures to exhaust kernel memory, leading to local denial of service or system instability.

Generated by OpenCVE AI on May 8, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel that includes the QRTR fix replacing radix_tree with xarray.
  • If an immediate kernel upgrade is not feasible, backport the xarray replacement patch from the cited commit references and rebuild the kernel.
  • Until the patch is deployed, limit the use of the QRTR subsystem or set system limits to prevent excessive memory consumption by QRTR flows.

Generated by OpenCVE AI on May 8, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes — xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Title net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:34.530Z

Reserved: 2026-05-01T14:12:55.978Z

Link: CVE-2026-43041

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:50.270

Modified: 2026-05-08T18:54:39.410

Link: CVE-2026-43041

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43041 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses