CVE-2026-46026 Linux CVE debrief

Who should care

Organizations running Linux on Qualcomm-based hardware, embedded systems using QRTR for inter-processor communication, telecommunications infrastructure, mobile device management platforms, and security teams responsible for kernel-level vulnerability management in constrained or high-availability environments.

Technical summary

The QRTR (Qualcomm IPC Router) nameserver in the Linux kernel failed to enforce limits on the number of lookup operations a client could perform. A malicious local client could exploit this by sending a flood of NEW_LOOKUP messages over the same socket, potentially causing resource exhaustion and denial of service. The vulnerability exists because the code only restricts lookups to local clients without implementing rate limiting or maximum bounds. The resolution introduces a global maximum of 64 concurrent lookups, which is adequate given the architectural constraint of permitting only one local observer in the nameserver design.

Defensive priority

medium

Recommended defensive actions

• Review kernel version and confirm QRTR nameserver component is present, particularly on Qualcomm-based systems or embedded Linux deployments
• Apply kernel updates containing the fix commits once available through distribution channels
• Monitor for kernel packages addressing CVE-2026-46026 in security advisories from Linux distribution vendors
• Consider local access controls to limit exposure to untrusted local users where QRTR is required
• Assess whether QRTR/nameserver functionality can be disabled or restricted if not required for system operation

Evidence notes

The vulnerability description indicates this issue was resolved in the Linux kernel's QRTR nameserver component. The fix limits maximum lookups to 64 globally. Multiple stable kernel branch commits are referenced, indicating backports to supported kernel versions. The NVD entry shows status 'Awaiting Analysis' with no CVSS score assigned at time of disclosure.

Official resources