CVE-2026-46047 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Fix use-after-free in driver remove()

In the remove callback, if a packet arrives after destroy_workqueue() is
called, but before sock_release(), the qrtr_ns_data_ready() callback will
try to queue the work, causing use-after-free issue.

Fix this issue by saving the default 'sk_data_ready' callback during
qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at
the start of remove(). This ensures that even if a packet arrives after
destroy_workqueue(), the work struct will not be dereferenced.

Note that it is also required to ensure that the RX threads are completed
before destroying the workqueue, because the threads could be using the
qrtr_ns_data_ready() callback.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernels QRTR (Qualcomm Resource Tracking) driver, where the driver removal routine can concurrently be triggered by packet reception. If a packet arrives after the workqueue is destroyed but before the socket is released, the callback that attempts to queue work dereferences a freed structure. This use‑after‑free can corrupt kernel memory, potentially leading to a crash or, in the worst case, arbitrary code execution from kernel space. The underlying weakness is a classic use‑after‑free bug (CWE‑416).

Affected Systems

All Linux kernel builds that include the QRTR driver are affected until the patch that preserves the original sk_data_ready callback in qrtr_ns_init() is applied. The exact affected versions are not specified, so any distribution version prior to the commit authorship (0f313eb6a8f6dffa491373cf3afab979fa1c02f4 and related commits) is potentially vulnerable.

Risk and Exploitability

The CVSS score is not provided, but the absence of the KEV listing suggests no confirmed exploit, and EPSS is not available. Nonetheless, the vulnerability requires an attacker to send packets to a device that uses the QRTR interface while the driver is being removed. If the attacker has local or remote access to that interface, the memory corruption could be triggered. The risk is therefore moderate; it does not affect remote systems purely via network traffic unless the QRTR interface is exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 0f313eb6a8f6dffa491373cf3afab979fa1c02f4
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< db3c60ec772de30acae92d560dfcc5258e58dbe8
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 2e127ceb1c415e246076d8e09e23e443a7a2038f
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< f96779e916576e81430ebb326baff6e433fef8ae
`0c2204a4ad710d95d348ea006f14ba926e842ffd`	affected	< 7809fea20c9404bfcfa6112ec08d1fe1d3520beb

Linux

affected

Version	Status	Constraints
`5.7`	affected	—
`0`	unaffected	< 5.7
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the patch for CVE-2026-46047, which saves the original sk_data_ready callback and restores it before removing the module.
If a kernel upgrade is not immediately possible, ensure that the QRTR driver is not removed while packets may still be arriving—flush or pause all related workqueues and verify that all RX threads have terminated before initiating driver unload.
If the system uses QRTR indirectly, disable the functionality or isolate the interface so that no packets can be processed during driver removal. This reduces the opportunity for the use‑after‑free to be triggered until the system can be patched.

Generated by OpenCVE AI on May 27, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4
https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f
https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb
https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8
https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae

History

Wed, 27 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback.
Title		net: qrtr: ns: Fix use-after-free in driver remove()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4 https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8 https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:57:03.471Z

Updated: 2026-05-27T12:57:03.471Z

Reserved: 2026-05-13T15:03:33.094Z

Link: CVE-2026-46047

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:24.200

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46047

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:30:26Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object