7.8
CVE-2026-52947
- EPSS 0.14%
- Veröffentlicht 24.06.2026 16:26:05
- Zuletzt bearbeitet 10.07.2026 19:23:34
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: <TASK> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... </TASK> Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. (Note: The v1 of this patch incorrectly replaced __sock_put() with sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove() still hold a reference to the socket, so freeing the socket memory here would lead to a subsequent UAF in the caller. Thus, the __sock_put() is kept, but only repositioned to close the RCU race.)
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
2aa4c12723fe432e623462a3be42a197a128722b
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
03bfa95e452e2b6ccd76a332060ae4feaf5ad84d
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
474293d90880622fde9d2430fb0165767090f7b3
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
2047c2aa0963bb2872fd722300a15bcb441a4c00
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
7de2d447072be3b1a76793f034432338fc9c494b
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
ab269990ed58143a92a263be1bee626d82ac03da
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
3b20ec8f31e8a6a6782243f473b0abd3463621df
Status
affected
Version
bdabad3e363d825ddf9679dd431cca0b2c30f881
Version <
a2171131ecda1ed61a594a1eb715e75fdad0fef5
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
4.7
Status
affected
Version
0
Version <
4.7
Status
unaffected
Version <=
5.10.*
Version
5.10.259
Status
unaffected
Version <=
5.15.*
Version
5.15.210
Status
unaffected
Version <=
6.1.*
Version
6.1.176
Status
unaffected
Version <=
6.6.*
Version
6.6.143
Status
unaffected
Version <=
6.12.*
Version
6.12.94
Status
unaffected
Version <=
6.18.*
Version
6.18.36
Status
unaffected
Version <=
7.0.*
Version
7.0.13
Status
unaffected
Version <=
*
Version
7.1
Status
unaffected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.033 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
https://git.kernel.org/stable/c/2aa4c12723fe432e623462a3be42a197a128722b
https://git.kernel.org/stable/c/03bfa95e452e2b6ccd76a332060ae4feaf5ad84d
https://git.kernel.org/stable/c/474293d90880622fde9d2430fb0165767090f7b3
https://git.kernel.org/stable/c/2047c2aa0963bb2872fd722300a15bcb441a4c00
https://git.kernel.org/stable/c/7de2d447072be3b1a76793f034432338fc9c494b
https://git.kernel.org/stable/c/ab269990ed58143a92a263be1bee626d82ac03da
https://git.kernel.org/stable/c/3b20ec8f31e8a6a6782243f473b0abd3463621df
https://git.kernel.org/stable/c/a2171131ecda1ed61a594a1eb715e75fdad0fef5