PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52947 Linux CVE debrief

CVE-2026-52947 is a HIGH severity vulnerability in the Linux kernel, with a CVSS score of 7.8. The vulnerability is related to a refcount saturation and potential Use-After-Free (UAF) in the qrtr_port_remove function. This could allow a local attacker to cause a denial of service or potentially execute arbitrary code. The vulnerability was introduced due to a race condition in the qrtr_port_remove function, where the socket reference count is decremented before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This creates a window where a concurrent RCU reader can obtain a pointer to the socket and attempt to call sock_hold on a socket whose reference count has already dropped to zero.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-28
Advisory published
2026-06-24
Advisory updated
2026-06-28

Who should care

Linux kernel developers, administrators, and users who rely on the Linux kernel should be aware of this vulnerability. The vulnerability is particularly concerning for systems that use the qrtr (Qualcomm's Quick Reliable Transport) module, as it could allow a local attacker to cause a denial of service or potentially execute arbitrary code. Linux distributions and vendors should prioritize patching this vulnerability to prevent potential exploits.

Technical summary

The vulnerability is caused by a race condition in the qrtr_port_remove function, where the socket reference count is decremented before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This creates a window where a concurrent RCU reader can obtain a pointer to the socket and attempt to call sock_hold on a socket whose reference count has already dropped to zero. The fix involves deferring the reference count decrement until after the xa_erase and the synchronize_rcu complete.

Defensive priority

High priority should be given to patching this vulnerability, as it could allow a local attacker to cause a denial of service or potentially execute arbitrary code. Linux distributions and vendors should prioritize patching this vulnerability to prevent potential exploits.

Recommended defensive actions

  • Apply the official patch from the Linux kernel maintainers.
  • Review and update Linux kernel configurations to ensure qrtr module is not loaded unnecessarily.
  • Monitor system logs for suspicious activity related to the qrtr module.
  • Consider implementing additional security controls, such as SELinux or AppArmor, to restrict access to sensitive resources.
  • Perform regular vulnerability scans and patch management to ensure timely updates.

Evidence notes

The vulnerability was discovered through syzkaller fuzzing, which led to a refcount saturation warning and a potential Use-After-Free. The fix was developed by deferring the reference count decrement until after the xa_erase and the synchronize_rcu complete. The CVE record and NVD detail provide additional information on the vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.