CVE-2026-43491 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators shipping kernels with qrtr support.

Technical summary

The affected code path in qrtr_ns lacked bound checking on how many servers could be registered per node. According to the CVE description, a malicious client could flood NEW_SERVER messages and exhaust memory. The fix introduces a maximum of 256 server registrations per node, except when the message replaces an existing old port, and also rate-limits error output in qrtr_ns_worker().

Defensive priority

High — memory exhaustion in kernel networking code can destabilize affected systems, so patched kernels should be prioritized.

Recommended defensive actions

• Review whether your Linux kernel builds include qrtr support and track the corresponding stable fixes.
• Apply the upstream kernel update that introduces the per-node 256 registration limit for qrtr ns handling.
• Prioritize rollout on systems that may process untrusted qrtr messages or depend on qrtr-enabled networking components.
• Monitor for abnormal qrtr-related memory growth or repeated NEW_SERVER activity until patching is complete.
• Reduce noisy failure-path logging where possible to help detect genuine anomalies without overwhelming logs.

Evidence notes

Based on the supplied NVD record for CVE-2026-43491, which states that qrtr ns lacked bounds checking on server additions per node and that a malicious client could flood NEW_SERVER messages to exhaust memory. The record also states the fix: limit registrations to 256 per node, allow replacement of old ports, and rate-limit error messages in qrtr_ns_worker(). The NVD entry is marked Received and references five Linux kernel stable commit URLs.

Official resources