CVE-2026-43491

Vulnerability

The Linux kernel's Qualcomm IPC Router (QRTR) name service (qrtr_ns) contains a missing bounds check when handling NEW_SERVER messages [1]. The code inserts new server registrations per node without any limit, allowing an attacker to create an unbounded number of server entries. The fix, included in stable kernel updates, caps server registrations at 256 per node [1]. A NEW_SERVER message for an already-known port is replaced rather than added, so it is not restricted [1].

Exploitation

An attacker must have the ability to send crafted NEW_SERVER messages to the qrtr_ns socket (i.e., local access to the QRTR subsystem) [1]. By sending a continuous stream of unique NEW_SERVER messages, the attacker can cause the kernel to allocate memory for each new server entry, leading to memory exhaustion [1].

Impact

Successful exploitation results in denial of service (DoS) due to kernel memory exhaustion [1]. The attacker does not gain code execution or data access, but can render the system unstable or unresponsive.

Mitigation

Patches have been applied to the Linux kernel stable branches [1][2][3][4]. Users should update to a kernel version containing commit 35fb4a0c077c or an equivalent backport [4]. If patching is not immediately possible, restricting local access to QRTR services may limit the attack surface. There is no known workaround that fully prevents the vulnerability without applying the patch.