PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46047 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's Qualcomm IPC Router (QRTR) namespace driver. The flaw occurs in the driver's remove callback, where a race condition between packet arrival and workqueue destruction can lead to memory corruption. Specifically, if a packet arrives after `destroy_workqueue()` is called but before `sock_release()` completes, the `qrtr_ns_data_ready()` callback attempts to queue work on the destroyed workqueue, dereferencing freed memory. The fix involves saving the default `sk_data_ready` callback during initialization and restoring it at the start of the remove callback, ensuring that packet arrivals after workqueue destruction do not trigger the vulnerable code path. Additionally, the fix ensures RX threads complete before workqueue destruction to prevent concurrent use of the callback.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Qualcomm-based hardware utilizing the QRTR subsystem, particularly embedded and mobile platforms, IoT devices with Qualcomm modems, and telecommunications infrastructure relying on Qualcomm IPC Router services. System administrators maintaining kernel modules that may be dynamically loaded and unloaded should prioritize this fix due to the race condition triggerability during module lifecycle operations.

Technical summary

The vulnerability resides in `net/qrtr/ns.c`, the Qualcomm IPC Router namespace service driver. During module removal, the driver destroys its workqueue via `destroy_workqueue()` before releasing its socket via `sock_release()`. This creates a window where incoming packets can trigger the `qrtr_ns_data_ready()` callback, which attempts to queue work items on the destroyed workqueue. The fix implements a two-part mitigation: (1) saving the original `sk_data_ready` callback pointer during `qrtr_ns_init()` and restoring it at the beginning of the remove callback, preventing any post-destruction packet arrivals from reaching the vulnerable callback; and (2) ensuring RX thread completion before workqueue destruction to eliminate in-flight callback usage. The kernel commits referenced provide backports to multiple stable kernel branches.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches when available through distribution security channels
  • Monitor vendor security advisories for backported fixes to affected long-term support kernel versions
  • Review systems utilizing Qualcomm IPC Router (QRTR) functionality for namespace service exposure
  • Prioritize patching on systems where QRTR namespace driver modules may be loaded and unloaded dynamically
  • Validate kernel build configurations to ensure QRTR_NS is either disabled or patched on affected systems

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Fix commits identified in kernel.org stable tree. No CVSS score or severity assigned by NVD at time of publication (status: Awaiting Analysis). Vendor attribution marked as low confidence requiring review based on reference domain analysis.

Official resources

2026-05-27