{"id":"CVE-2026-46047","summary":"net: qrtr: ns: Fix use-after-free in driver remove()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Fix use-after-free in driver remove()\n\nIn the remove callback, if a packet arrives after destroy_workqueue() is\ncalled, but before sock_release(), the qrtr_ns_data_ready() callback will\ntry to queue the work, causing use-after-free issue.\n\nFix this issue by saving the default 'sk_data_ready' callback during\nqrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at\nthe start of remove(). This ensures that even if a packet arrives after\ndestroy_workqueue(), the work struct will not be dereferenced.\n\nNote that it is also required to ensure that the RX threads are completed\nbefore destroying the workqueue, because the threads could be using the\nqrtr_ns_data_ready() callback.","modified":"2026-06-18T03:56:41.532768635Z","published":"2026-05-27T12:57:03.471Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46047.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167"},{"type":"WEB","url":"https://git.kernel.org/stable/c/65168712c216584ff482a7d1a67589f2079b2634"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dff081c3602f2fd810f69ef47945a226980dd05d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46047.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46047"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0c2204a4ad710d95d348ea006f14ba926e842ffd"},{"fixed":"65168712c216584ff482a7d1a67589f2079b2634"},{"fixed":"dff081c3602f2fd810f69ef47945a226980dd05d"},{"fixed":"4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167"},{"fixed":"0f313eb6a8f6dffa491373cf3afab979fa1c02f4"},{"fixed":"db3c60ec772de30acae92d560dfcc5258e58dbe8"},{"fixed":"2e127ceb1c415e246076d8e09e23e443a7a2038f"},{"fixed":"f96779e916576e81430ebb326baff6e433fef8ae"},{"fixed":"7809fea20c9404bfcfa6112ec08d1fe1d3520beb"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46047.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46047.json"}}],"schema_version":"1.7.5"}