CVE-2026-52947
Analyzed Analyzed - Analysis Complete

Use-After-Free in Linux Kernel QRTR Network Protocol

Vulnerability report for CVE-2026-52947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: <TASK> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... </TASK> Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. (Note: The v1 of this patch incorrectly replaced __sock_put() with sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove() still hold a reference to the socket, so freeing the socket memory here would lead to a subsequent UAF in the caller. Thus, the __sock_put() is kept, but only repositioned to close the RCU race.)

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 4.7 (inc) to 5.10.259 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's qrtr module, specifically in the qrtr_port_remove() function. The issue arises because the socket reference count is decremented too early, before the port is removed from the qrtr_ports XArray and before the RCU grace period ends.

This premature decrement breaks the Read-Copy-Update (RCU) update paradigm, creating a race condition where a concurrent RCU reader can access a socket pointer whose reference count has already dropped to zero. This can lead to a Use-After-Free (UAF) situation, where the system tries to use memory that has already been freed.

The vulnerability was discovered during syzkaller fuzzing and can cause refcount saturation warnings and potential memory leaks or crashes.

The fix involves deferring the decrement of the socket's reference count until after the port is removed and the RCU grace period completes, ensuring safe memory handling.

Impact Analysis

This vulnerability can lead to a Use-After-Free condition in the Linux kernel, which may cause system instability, crashes, or memory corruption.

An attacker or a faulty process could potentially exploit this race condition to cause denial of service by crashing the kernel or leaking memory.

While the description does not explicitly mention privilege escalation or remote code execution, Use-After-Free vulnerabilities in kernel code can sometimes be leveraged for such attacks depending on the context.

Detection Guidance

This vulnerability can manifest as a refcount saturation warning and potential Use-After-Free (UAF) in the Linux kernel logs. Specifically, you may observe messages like:

  • "refcount_t: saturated; leaking memory."
  • "WARNING: CPU: <cpu_id> PID: <pid> at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0"

To detect this on your system, you can monitor the kernel logs for such warnings using commands like:

  • dmesg | grep -i 'refcount_t: saturated'
  • journalctl -k | grep -i 'refcount_t: saturated'

Additionally, monitoring for crashes or unusual behavior related to the qrtr module may help identify exploitation attempts.

Mitigation Strategies

The vulnerability has been fixed by changing the timing of the socket reference count decrement in the qrtr_port_remove() function to avoid the race condition.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider disabling or unloading the qrtr kernel module if it is not required in your environment.
  • Monitor kernel logs for refcount saturation warnings to detect potential exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart