CVE-2026-46047
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel QRTR Network Stack

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46047
EUVD
EUVD-2026-32429
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 5.7 (inc) to 5.10.258 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's qrtr network driver during the remove callback process.

Specifically, if a packet arrives after the workqueue is destroyed (destroy_workqueue() called) but before the socket is released (sock_release()), the qrtr_ns_data_ready() callback attempts to queue work on a freed structure, leading to use-after-free.

The fix involves saving the original 'sk_data_ready' callback during initialization and restoring it at the start of the remove process to prevent dereferencing freed memory. Additionally, it ensures RX threads complete before destroying the workqueue.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior such as system crashes, memory corruption, or potential execution of arbitrary code within the kernel context.

Such impacts can compromise system stability and security, potentially allowing attackers to escalate privileges or cause denial of service.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the fix has been applied. The fix involves saving the default 'sk_data_ready' callback during qrtr_ns_init() and replacing the qrtr_ns_data_ready() callback at the start of the remove() function to prevent use-after-free issues.

Additionally, it is important to ensure that the RX threads are completed before destroying the workqueue, as these threads could be using the qrtr_ns_data_ready() callback.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart