CVE-2026-43491
Linux Kernel Memory Exhaustion via QRTR Server Registration
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | to 256 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's qrtr namespace (ns) component, where there is no limit on the number of servers that can be registered per node.
A malicious client can exploit this by flooding the system with NEW_SERVER messages, causing the system to add an excessive number of servers and thereby exhaust memory.
The fix implemented limits the maximum number of server registrations to 256 per node to prevent memory exhaustion.
How can this vulnerability impact me? :
This vulnerability can lead to memory exhaustion on affected Linux systems if exploited by a malicious client flooding NEW_SERVER messages.
Memory exhaustion can cause system instability, degraded performance, or crashes, potentially disrupting services running on the affected system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by limiting the maximum number of server registrations to 256 per node in the Linux kernel's qrtr namespace code.
To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes this fix.
This update prevents malicious clients from flooding NEW_SERVER messages and exhausting memory by enforcing the server registration limit.