CVE-2026-43041 Overview
CVE-2026-43041 is a memory leak vulnerability in the Linux kernel's Qualcomm IPC Router (net/qrtr) subsystem. The flaw resides in the qrtr_tx_flow data structure, which previously used the deprecated radix_tree API. When __radix_tree_create() allocates intermediate nodes and a subsequent allocation fails, already-linked internal nodes remain in the tree without a corresponding leaf entry. These orphaned nodes are never reclaimed because radix_tree_for_each_slot() only iterates over slots containing leaf values. The fix migrates qrtr_tx_flow from radix_tree to xarray, allowing xa_destroy() to properly free internal nodes when the qrtr_node is released.
Critical Impact
Repeated allocation failures on systems using the qrtr networking stack cause unbounded kernel memory consumption that cannot be reclaimed without a reboot.
Affected Products
- Linux kernel branches containing the qrtr_tx_flowradix_tree implementation in net/qrtr
- Devices and platforms relying on Qualcomm IPC Router (QRTR) sockets, commonly Qualcomm-based hardware
- Kernel builds prior to the patches listed in the kernel.org stable commits
Discovery Timeline
- 2026-05-01 - CVE-2026-43041 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43041
Vulnerability Analysis
The Linux kernel's net/qrtr module uses qrtr_tx_flow to track flow-control state for QRTR socket transmissions. The structure was implemented using the legacy radix_tree API. The __radix_tree_create() function builds the tree by allocating and linking intermediate nodes one level at a time. If any allocation later in the chain fails, earlier intermediate nodes remain attached to the tree.
These orphaned nodes hold no leaf data but consume kernel memory. The standard cleanup iterator radix_tree_for_each_slot() walks only slots that contain leaf values, so the empty internal nodes are skipped during teardown. When the owning qrtr_node is destroyed, the orphaned memory is leaked permanently.
Root Cause
The root cause is the lifecycle mismatch between radix_tree internal node allocation and its cleanup iterator. Partial-failure paths in __radix_tree_create() leave structural nodes in the tree that have no leaf and therefore are invisible to the slot-iteration cleanup. The radix_tree API has been deprecated in favor of xarray, which exposes xa_destroy() to free all internal nodes regardless of leaf presence.
Attack Vector
The leak triggers under conditions that cause memory allocation failures during QRTR transmit-flow tracking. An adversary or workload able to repeatedly open QRTR sockets and induce allocation pressure can amplify the leak, leading to kernel memory exhaustion and denial of service. Exploitation requires the ability to interact with the QRTR subsystem, typically available locally on Qualcomm-based Linux platforms.
No public proof-of-concept exploit code is available. The vulnerability mechanism is documented in the upstream patch series referenced in the kernel mailing list discussion.
Detection Methods for CVE-2026-43041
Indicators of Compromise
- Steadily increasing kernel slab memory usage attributable to radix_tree_node allocations on systems running QRTR workloads
- dmesg entries indicating allocation failures originating from net/qrtr code paths
- Long-running hosts using Qualcomm IPC Router showing unexplained kernel memory pressure that persists across QRTR session teardowns
Detection Strategies
- Monitor /proc/slabinfo for sustained growth in radix_tree_node counts on kernels predating the fix
- Track kernel running version against the fixed commits (0fda873, 2428083, 4b75ffa, 5d2249e, 6940290, f2664bc, f2dd9aa, ff134cc) using configuration management tooling
- Use kernel memory profilers such as kmemleak to identify orphaned radix_tree nodes referenced from qrtr_node structures
Monitoring Recommendations
- Alert on abnormal growth of kernel non-pageable memory on Qualcomm-based Linux endpoints and embedded devices
- Capture and review kernel logs for repeated -ENOMEM events emitted from net/qrtr functions
- Inventory affected kernel versions across the fleet and prioritize Qualcomm-platform devices that depend on QRTR sockets
How to Mitigate CVE-2026-43041
Immediate Actions Required
- Identify Linux systems running QRTR-dependent workloads, particularly Qualcomm-based hardware and modems
- Apply the upstream stable kernel patches that replace qrtr_tx_flow's radix_tree with an xarray
- Reboot affected hosts after patching to release any memory already leaked by the prior implementation
Patch Information
The fix replaces the radix_tree backing of qrtr_tx_flow with an xarray, ensuring xa_destroy() reclaims all internal nodes when a qrtr_node is released. The patch is distributed across multiple stable branches via the following commits: 0fda873, 2428083, 4b75ffa, 5d2249e, 6940290, f2664bc, f2dd9aa, and ff134cc.
Workarounds
- Where QRTR is not required, unload or disable the qrtr kernel module to remove the affected code path
- Restrict local access to QRTR sockets so only trusted processes can drive transmit-flow allocations
- Schedule periodic reboots on long-running, unpatched hosts to reclaim leaked kernel memory until patches can be deployed
# Check if the qrtr module is loaded and disable when not required
lsmod | grep qrtr
sudo modprobe -r qrtr_smd qrtr_tun qrtr
echo "blacklist qrtr" | sudo tee /etc/modprobe.d/blacklist-qrtr.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
