CVE-2026-46047

Source
https://cve.org/CVERecord?id=CVE-2026-46047
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46047.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-46047
Downstream
Related
Published
2026-05-27T12:57:03.471Z
Modified
2026-06-18T03:56:41.532768635Z
Summary
net: qrtr: ns: Fix use-after-free in driver remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Fix use-after-free in driver remove()

In the remove callback, if a packet arrives after destroyworkqueue() is called, but before sockrelease(), the qrtrnsdata_ready() callback will try to queue the work, causing use-after-free issue.

Fix this issue by saving the default 'skdataready' callback during qrtrnsinit() and use it to replace the qrtrnsdataready() callback at the start of remove(). This ensures that even if a packet arrives after destroyworkqueue(), the work struct will not be dereferenced.

Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtrnsdata_ready() callback.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46047.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0c2204a4ad710d95d348ea006f14ba926e842ffd
Fixed
65168712c216584ff482a7d1a67589f2079b2634
Fixed
dff081c3602f2fd810f69ef47945a226980dd05d
Fixed
4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167
Fixed
0f313eb6a8f6dffa491373cf3afab979fa1c02f4
Fixed
db3c60ec772de30acae92d560dfcc5258e58dbe8
Fixed
2e127ceb1c415e246076d8e09e23e443a7a2038f
Fixed
f96779e916576e81430ebb326baff6e433fef8ae
Fixed
7809fea20c9404bfcfa6112ec08d1fe1d3520beb

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46047.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.27
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46047.json"