CVE-2026-46038 Linux CVE debrief

Who should care

Organizations running Linux systems on Qualcomm hardware using QRTR for inter-process communication, including mobile devices, embedded systems, and IoT platforms. System administrators managing kernel security updates and developers working with Qualcomm-based Linux distributions.

Technical summary

The QRTR (Qualcomm IPC Router) subsystem in the Linux kernel contains a memory leak in its nameserver implementation. The `ctrl_cmd_bye()` function, which processes BYE packets from departing nodes, fails to free node memory after removing the node from the Xarray list. This results in kernel memory leakage each time a node sends a BYE packet. The vulnerability is local in nature, requiring the ability to send QRTR control messages. The fix modifies `ctrl_cmd_bye()` to properly free node memory in both success and error code paths.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
• Monitor vendor security advisories for kernel package updates addressing CVE-2026-46038
• For systems using Qualcomm platforms with QRTR functionality, prioritize testing and deployment of patched kernels
• Review system logs for unusual memory consumption patterns in long-running QRTR-dependent services as a potential indicator of exploitation
• Consider implementing resource limits and monitoring for kernel memory usage on affected systems pending patch availability

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. The fix involves kernel-level memory management in the QRTR subsystem. Multiple stable kernel branch commits are referenced, indicating backports to supported kernel versions. No CVSS score or severity rating has been assigned by NVD as of the modified date (2026-05-27T14:48:03Z).

Official resources