CVE-2026-43491 Overview
CVE-2026-43491 is a Linux kernel vulnerability in the Qualcomm IPC Router (QRTR) name service. The flaw resides in net/qrtr/ns.c, which previously performed no bound checking on the number of servers a single node could register. A malicious client can flood NEW_SERVER control messages and exhaust kernel memory. The upstream fix limits server registrations to 256 per node and rate-limits error messages in the qrtr_ns_worker() failure path.
Critical Impact
A local attacker with access to the QRTR socket interface can trigger kernel memory exhaustion, leading to denial of service on affected Linux systems.
Affected Products
- Linux kernel versions containing the QRTR name service implementation prior to the fix commits
- Systems using Qualcomm IPC Router networking (commonly Qualcomm-based platforms)
- Distributions shipping vulnerable stable kernel branches
Discovery Timeline
- 2026-05-19 - CVE-2026-43491 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-43491
Vulnerability Analysis
The QRTR subsystem implements a name service that tracks servers registered by nodes on the Qualcomm IPC Router network. When a client sends a NEW_SERVER control message, the name service allocates a server entry and links it to the originating node. The pre-patch implementation did not constrain how many distinct server entries a single node could accumulate.
An attacker who can transmit QRTR control messages can repeatedly issue NEW_SERVER requests with varying port identifiers. Each request causes a fresh kernel allocation. Sustained flooding drives the kernel toward out-of-memory conditions and can stall the qrtr_ns_worker() workqueue with repeated error logging.
The fix introduces a hard cap of 256 server registrations per node. Re-registration against an existing port is permitted because the entry is replaced rather than added. Error messages emitted by qrtr_ns_worker() are now rate-limited to prevent log amplification.
Root Cause
The root cause is missing input validation on resource allocation, classifiable as a resource exhaustion flaw. The name service trusted client-supplied registration counts without enforcing per-node quotas. This allowed unbounded growth of the internal server list and associated kernel allocations.
Attack Vector
Exploitation requires the ability to send QRTR control messages to the kernel name service. On systems exposing QRTR sockets to unprivileged users or to remote nodes over the IPC router fabric, a malicious process can iterate through port numbers and emit NEW_SERVER messages in a tight loop. No authentication or capability check is performed beyond standard socket access. The vulnerability manifests in the server registration handler in net/qrtr/ns.c. See the upstream commits referenced below for the precise code changes.
Detection Methods for CVE-2026-43491
Indicators of Compromise
- Rapid growth in kernel slab allocations attributable to QRTR data structures
- High volume of QRTR NEW_SERVER control messages originating from a single process or node
- Repeated error messages emitted by qrtr_ns_worker() in kernel logs prior to the rate-limiting patch
- Out-of-memory killer activity on systems with active QRTR workloads
Detection Strategies
- Monitor /proc/slabinfo and kernel memory counters for abnormal QRTR-related growth
- Audit processes opening AF_QIPCRTR sockets and correlate with NEW_SERVER message volume
- Alert on kernel log floods containing qrtr_ns_worker error strings
- Track per-node server counts where QRTR introspection tooling is available
Monitoring Recommendations
- Forward kernel logs to a centralized analytics platform and build alerts on QRTR error patterns
- Establish baselines for QRTR control message rates on Qualcomm-based fleets
- Track kernel version inventory to identify hosts still running unpatched stable branches
How to Mitigate CVE-2026-43491
Immediate Actions Required
- Apply the stable kernel updates containing the QRTR name service patch from your distribution vendor
- Restrict access to AF_QIPCRTR sockets to trusted processes through namespace isolation or seccomp policy
- Identify and audit all systems that load the qrtr and qrtr-ns kernel modules
- Monitor kernel memory and log volume on Qualcomm-based platforms until patching is complete
Patch Information
The fix is committed upstream in the Linux stable tree. Relevant commits include Kernel Git Commit 35fb4a0, Kernel Git Commit 3efaad5, Kernel Git Commit 868202a, Kernel Git Commit d5ee2ff, and Kernel Git Commit e6f6cd5. The patch caps server registrations at 256 per node and rate-limits worker error messages.
Workarounds
- Unload the qrtr kernel module on systems that do not require Qualcomm IPC Router functionality
- Apply seccomp filters or LSM policy to block AF_QIPCRTR socket creation for untrusted workloads
- Reduce QRTR exposure by isolating Qualcomm-based devices on dedicated network segments
# Configuration example: block QRTR socket family for untrusted services
# Verify whether qrtr is loaded
lsmod | grep qrtr
# Prevent automatic loading where not required
echo 'blacklist qrtr' | sudo tee /etc/modprobe.d/blacklist-qrtr.conf
echo 'blacklist qrtr-ns' | sudo tee -a /etc/modprobe.d/blacklist-qrtr.conf
# Confirm kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
