CVE-2026-46038 - Vulnerability Details

- net: qrtr: ns: Free the node during ctrl_cmd_bye()

Description

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Free the node during ctrl_cmd_bye()

A node sends the BYE packet when it is about to go down. So the nameserver
should advertise the removal of the node to all remote and local observers
and free the node finally. But currently, the nameserver doesn't free the
node memory even after processing the BYE packet. This causes the node
memory to leak.

Hence, remove the node from Xarray list and free the node memory during
both success and failure case of ctrl_cmd_bye().

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel’s QRTR nameserver does not free the node data structure after a BYE packet is processed, causing a memory leak in kernel space. This defect allows an attacker to exhaust kernel memory by repeatedly sending BYE packets, potentially leading to degraded system performance or service denial, as the leaked memory accumulates over time.

Affected Systems

The vulnerability exists in the Linux kernel across all versions that contain the QRTR subsystem, with no specific version exclusions noted.

Risk and Exploitability

The bug is a pure memory leak; it does not lead to a crash or arbitrary code execution in the kernel. The CVSS score of 5.5 indicates a medium severity level for this flaw. Based on the description, it is inferred that the exploitation would require a local process capable of sending a BYE packet, which is typically available to privileged users or compromised software. Because the EPSS score is not available and the flaw is not listed in KEV, the immediate threat level is moderate, but the impact on stability can be significant if the leak is repeatedly triggered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< ff78ed177a66763085e3214d6fbe13ca8f0b3f11
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 65932f5102bb5377db36c8a4f0c28179a1967a9a
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 154fc7fe3f62c46891c3c4302f4b5b5391c932e6
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 076e4b162d6caba12c229e7f262df5b6881162b0
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 68efba36446a7774ea5b971257ade049272a07ac

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0c2204a4ad710d95d348ea006f14ba926e842ffd,ff78ed177a66763085e3214d6fbe13ca8f0b3f11)`	affected	code_commit	—
`[0c2204a4ad710d95d348ea006f14ba926e842ffd,65932f5102bb5377db36c8a4f0c28179a1967a9a)`	affected	code_commit	—
`[0c2204a4ad710d95d348ea006f14ba926e842ffd,154fc7fe3f62c46891c3c4302f4b5b5391c932e6)`	affected	code_commit	—
`[0c2204a4ad710d95d348ea006f14ba926e842ffd,076e4b162d6caba12c229e7f262df5b6881162b0)`	affected	code_commit	—
`[0c2204a4ad710d95d348ea006f14ba926e842ffd,68efba36446a7774ea5b971257ade049272a07ac)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.7`	affected	generic	—
`[0,5.7)`	unaffected	generic	—
`[6.6.140,7.0.0)`	unaffected	semver	—
`[6.12.86,6.13.0)`	unaffected	semver	—
`[6.18.27,6.19.0)`	unaffected	semver	—
`[7.0.4,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes the commit referenced in the advisory.
If an immediate upgrade is unavailable, reboot the system to clear the leaked memory, as the kernel state is reset upon kernel start.
Continuously monitor kernel memory usage and set alerts for abnormal growth that may indicate the leak is active.

Generated by OpenCVE AI on May 28, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00168.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0
https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6
https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a
https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac
https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11
https://lore.kernel.org/linux-cve-announce/2026052750-CVE-2026-46038-ec0d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46038
https://www.cve.org/CVERecord?id=CVE-2026-46038

History

Tue, 16 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Thu, 28 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Thu, 28 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026052750-CVE-2026-46038-ec0d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46038 https://www.cve.org/CVERecord?id=CVE-2026-46038
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Free the node during ctrl_cmd_bye() A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak. Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye().
Title		net: qrtr: ns: Free the node during ctrl_cmd_bye()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0 https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6 https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:56:50.125Z

Updated: 2026-06-14T17:49:48.176Z

Reserved: 2026-05-13T15:03:33.093Z

Link: CVE-2026-46038

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-27T14:17:23.140

Modified: 2026-06-16T15:16:28.740

Link: CVE-2026-46038

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46038 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T06:15:10Z

Weaknesses

CWE-401
Missing Release of Memory after Effective Lifetime
CWE-772
Missing Release of Resource after Effective Lifetime

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object