CVE-2026-52947
Received Received - Intake
Use-After-Free in Linux Kernel QRTR Network Protocol

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: <TASK> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... </TASK> Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. (Note: The v1 of this patch incorrectly replaced __sock_put() with sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove() still hold a reference to the socket, so freeing the socket memory here would lead to a subsequent UAF in the caller. Thus, the __sock_put() is kept, but only repositioned to close the RCU race.)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52947
EUVD
EUVD-2026-38815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's qrtr module, specifically in the qrtr_port_remove() function. The issue arises because the socket reference count is decremented too early, before the port is removed from the qrtr_ports XArray and before the RCU grace period ends.

This premature decrement breaks the Read-Copy-Update (RCU) update paradigm, creating a race condition where a concurrent RCU reader can access a socket pointer whose reference count has already dropped to zero. This can lead to a Use-After-Free (UAF) situation, where the system tries to use memory that has already been freed.

The vulnerability was discovered during syzkaller fuzzing and can cause refcount saturation warnings and potential memory leaks or crashes.

The fix involves deferring the decrement of the socket's reference count until after the port is removed and the RCU grace period completes, ensuring safe memory handling.

Impact Analysis

This vulnerability can lead to a Use-After-Free condition in the Linux kernel, which may cause system instability, crashes, or memory corruption.

An attacker or a faulty process could potentially exploit this race condition to cause denial of service by crashing the kernel or leaking memory.

While the description does not explicitly mention privilege escalation or remote code execution, Use-After-Free vulnerabilities in kernel code can sometimes be leveraged for such attacks depending on the context.

Detection Guidance

This vulnerability can manifest as a refcount saturation warning and potential Use-After-Free (UAF) in the Linux kernel logs. Specifically, you may observe messages like:

  • "refcount_t: saturated; leaking memory."
  • "WARNING: CPU: <cpu_id> PID: <pid> at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0"

To detect this on your system, you can monitor the kernel logs for such warnings using commands like:

  • dmesg | grep -i 'refcount_t: saturated'
  • journalctl -k | grep -i 'refcount_t: saturated'

Additionally, monitoring for crashes or unusual behavior related to the qrtr module may help identify exploitation attempts.

Mitigation Strategies

The vulnerability has been fixed by changing the timing of the socket reference count decrement in the qrtr_port_remove() function to avoid the race condition.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • If updating immediately is not possible, consider disabling or unloading the qrtr kernel module if it is not required in your environment.
  • Monitor kernel logs for refcount saturation warnings to detect potential exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart