Description
In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Limit the total number of nodes

Currently, the nameserver doesn't limit the number of nodes it handles.
This can be an attack vector if a malicious client starts registering
random nodes, leading to memory exhaustion.

Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is
chosen based on the current platform requirements. If requirement changes
in the future, this limit can be increased.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel QRTR nameserver did not enforce a maximum for the number of node registrations. An attacker controllable over QRTR messages can create many random nodes, causing the kernel to allocate memory for each node. This process can exhaust system memory and lead to a denial‑of‑service condition for services that rely on the nameserver. The weakness is a resource exploitation flaw (CWE‑770).

Affected Systems

All Linux kernel builds that do not contain the commit which limits QRTR node registrations to 64 are affected. The limitation was introduced in a recent kernel patch that is applied in current releases. Tenants using older kernels without this change remain vulnerable.

Risk and Exploitability

The CVSS score of 5.5 reflects medium overall severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the exhaustion by sending numerous QRTR registration messages, without requiring elevated privileges or authentication. The risk persists until the kernel includes the node‑limit change or an equivalent mitigation is applied.

Generated by OpenCVE AI on June 18, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version containing "QRTR nameserver node limit to 64".
  • Apply the upstream patch manually from the provided kernel commit links if an immediate kernel upgrade is not possible.
  • Restrict access to the QRTR interface via firewall or SELinux to limit connections to trusted hosts.
  • Monitor system memory usage and QRTR node counts to detect abnormal activity.

Generated by OpenCVE AI on June 18, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
Ubuntu USN Ubuntu USN USN-8488-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-8488-2 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8507-1 Linux kernel (NVIDIA) vulnerabilities
History

Fri, 19 Jun 2026 12:45:00 +0000


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-789

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-789

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the total number of nodes Currently, the nameserver doesn't limit the number of nodes it handles. This can be an attack vector if a malicious client starts registering random nodes, leading to memory exhaustion. Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased.
Title net: qrtr: ns: Limit the total number of nodes
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-19T11:58:56.529Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46003

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:18.010

Modified: 2026-06-17T10:52:52.903

Link: CVE-2026-46003

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46003 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses