{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46047", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.094Z", "datePublished": "2026-05-27T12:57:03.471Z", "dateUpdated": "2026-05-27T12:57:03.471Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:57:03.471Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Fix use-after-free in driver remove()\n\nIn the remove callback, if a packet arrives after destroy_workqueue() is\ncalled, but before sock_release(), the qrtr_ns_data_ready() callback will\ntry to queue the work, causing use-after-free issue.\n\nFix this issue by saving the default 'sk_data_ready' callback during\nqrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at\nthe start of remove(). This ensures that even if a packet arrives after\ndestroy_workqueue(), the work struct will not be dereferenced.\n\nNote that it is also required to ensure that the RX threads are completed\nbefore destroying the workqueue, because the threads could be using the\nqrtr_ns_data_ready() callback."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/qrtr/ns.c"], "versions": [{"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd", "lessThan": "0f313eb6a8f6dffa491373cf3afab979fa1c02f4", "status": "affected", "versionType": "git"}, {"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd", "lessThan": "db3c60ec772de30acae92d560dfcc5258e58dbe8", "status": "affected", "versionType": "git"}, {"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd", "lessThan": "2e127ceb1c415e246076d8e09e23e443a7a2038f", "status": "affected", "versionType": "git"}, {"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd", "lessThan": "f96779e916576e81430ebb326baff6e433fef8ae", "status": "affected", "versionType": "git"}, {"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd", "lessThan": "7809fea20c9404bfcfa6112ec08d1fe1d3520beb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/qrtr/ns.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.86", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.27", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.4", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.86"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.0.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4"}, {"url": "https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8"}, {"url": "https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f"}, {"url": "https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae"}, {"url": "https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb"}], "title": "net: qrtr: ns: Fix use-after-free in driver remove()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Fix use-after-free in driver remove()\n\nIn the remove callback, if a packet arrives after destroy_workqueue() is\ncalled, but before sock_release(), the qrtr_ns_data_ready() callback will\ntry to queue the work, causing use-after-free issue.\n\nFix this issue by saving the default 'sk_data_ready' callback during\nqrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at\nthe start of remove(). This ensures that even if a packet arrives after\ndestroy_workqueue(), the work struct will not be dereferenced.\n\nNote that it is also required to ensure that the RX threads are completed\nbefore destroying the workqueue, because the threads could be using the\nqrtr_ns_data_ready() callback."}], "id": "CVE-2026-46047", "lastModified": "2026-05-27T14:48:03.013", "metrics": {}, "published": "2026-05-27T14:17:24.200", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}