CVE-2026-52947 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove

In qrtr_port_remove(), the socket reference count is decremented via
__sock_put() before the port is removed from the qrtr_ports XArray and
before the RCU grace period elapses.

This breaks the fundamental RCU update paradigm. It exposes a race
window where a concurrent RCU reader (such as qrtr_reset_ports() or
qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
and attempt to call sock_hold() on a socket whose reference count has
already dropped to zero.

This exact race condition was hit during syzkaller fuzzing, leading to
the following refcount saturation warning and a potential Use-After-Free:

refcount_t: saturated; leaking memory.
WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
Modules linked in: qrtr(+) bochs drm_shmem_helper ...
Call Trace:
<TASK>
qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
__qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
kernel_bind+0xe4/0x120 net/socket.c:3592
qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
do_one_initcall+0xf5/0x5e0 init/main.c:1283
...
</TASK>

Fix this by deferring the reference count decrement until after the
xa_erase() and the synchronize_rcu() complete.

(Note: The v1 of this patch incorrectly replaced __sock_put() with
sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
still hold a reference to the socket, so freeing the socket memory here
would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
kept, but only repositioned to close the RCU race.)

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the Linux kernel's QRTR subsystem when qrtr_port_remove() decrements the socket reference count before removing the port from the XArray and before an RCU grace period. This violates the RCU update paradigm and creates a race where an RCU reader can obtain a pointer to a socket whose reference count has already dropped to zero. The race was observed during fuzz testing, causing refcount saturation warnings and a potential Use‑After‑Free. The flaw allows an attacker to corrupt memory or gain unauthorized access, potentially escalating privileges.

Affected Systems

All Linux kernels that include the QRTR module cover current mainline releases and downstream distributions that ship the same kernel code. No specific version delimitations were listed, so any deployment using the qrtr driver is potentially impacted until the patch is applied.

Risk and Exploitability

The CVSS score is not provided, and the EPSS is unavailable, so quantifying likelihood is difficult, but a UAF of this nature is considered high severity. The flaw is not listed in CISA KEV, so current exploitation activity is unknown. If an attacker can trigger the race—likely requiring local or elevated privilege—the impact would be local privilege escalation or denial of service. The lack of a public exploit is reassuring, but the potential remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 2aa4c12723fe432e623462a3be42a197a128722b
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 03bfa95e452e2b6ccd76a332060ae4feaf5ad84d
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 474293d90880622fde9d2430fb0165767090f7b3
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 2047c2aa0963bb2872fd722300a15bcb441a4c00
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 7de2d447072be3b1a76793f034432338fc9c494b
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< ab269990ed58143a92a263be1bee626d82ac03da
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< 3b20ec8f31e8a6a6782243f473b0abd3463621df
`bdabad3e363d825ddf9679dd431cca0b2c30f881`	affected	< a2171131ecda1ed61a594a1eb715e75fdad0fef5

Linux

affected

Version	Status	Constraints
`4.7`	affected	—
`0`	unaffected	< 4.7
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the fix for qrtr_port_remove reference counting
If the patch cannot be applied immediately, disable the QRTR subsystem or blacklist the driver to eliminate the vulnerable code path
If upgrading is not feasible, rebuild the kernel with the updated qrtr code or apply the specific commit from the provided git URLs

Generated by OpenCVE AI on June 24, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03bfa95e452e2b6ccd76a332060ae4feaf5ad84d
https://git.kernel.org/stable/c/2047c2aa0963bb2872fd722300a15bcb441a4c00
https://git.kernel.org/stable/c/2aa4c12723fe432e623462a3be42a197a128722b
https://git.kernel.org/stable/c/3b20ec8f31e8a6a6782243f473b0abd3463621df
https://git.kernel.org/stable/c/474293d90880622fde9d2430fb0165767090f7b3
https://git.kernel.org/stable/c/7de2d447072be3b1a76793f034432338fc9c494b
https://git.kernel.org/stable/c/a2171131ecda1ed61a594a1eb715e75fdad0fef5
https://git.kernel.org/stable/c/ab269990ed58143a92a263be1bee626d82ac03da

History

Wed, 24 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-367

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: <TASK> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... </TASK> Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. (Note: The v1 of this patch incorrectly replaced __sock_put() with sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove() still hold a reference to the socket, so freeing the socket memory here would lead to a subsequent UAF in the caller. Thus, the __sock_put() is kept, but only repositioned to close the RCU race.)
Title		net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03bfa95e452e2b6ccd76a332060ae4feaf5ad84d https://git.kernel.org/stable/c/2047c2aa0963bb2872fd722300a15bcb441a4c00 https://git.kernel.org/stable/c/2aa4c12723fe432e623462a3be42a197a128722b https://git.kernel.org/stable/c/3b20ec8f31e8a6a6782243f473b0abd3463621df https://git.kernel.org/stable/c/474293d90880622fde9d2430fb0165767090f7b3 https://git.kernel.org/stable/c/7de2d447072be3b1a76793f034432338fc9c494b https://git.kernel.org/stable/c/a2171131ecda1ed61a594a1eb715e75fdad0fef5 https://git.kernel.org/stable/c/ab269990ed58143a92a263be1bee626d82ac03da

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:26:05.062Z

Updated: 2026-06-24T16:26:05.062Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52947

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:15:15Z

Weaknesses

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object