CVE-2026-46047 | net: qrtr: ns: Fix use-after-free in driver remove()

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback.

Published: 2026-05-27 Last update: 2026-06-01 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Awaiting Analysis，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-46047 is rated Low Risk (5.2/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-46047

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-28	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-46047

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-46047

GitHub Security Advisory for CVE-2026-46047

GHSA-g5x6-jrf2-h8qv · Severity: unknown — In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after...

OS Trackers for CVE-2026-46047

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-46047 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2.	https://security-tracker.debian.org/tracker/CVE-2026-46047
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-46047
`suse`	high	CVE-2026-46047 severity important: SUSE including 14 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 53 product×package rows across 12 product lines (SUSE Linux Enterprise Live Patching 12 SP5, SUSE Linux Enterprise Micro 5.0, … (12 product lines)): Known Not Affected 53.	https://www.suse.com/security/cve/CVE-2026-46047/
`ubuntu`	medium	CVE-2026-46047 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 891 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 508, needs-triage 224, ignored 159.	https://ubuntu.com/security/CVE-2026-46047

Affected software / configurations for CVE-2026-46047

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-46047

URL	Tags
https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4
https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f
https://git.kernel.org/stable/c/4ae0bd51bf7079e9c2a06b5de0ae04ba70d10167
https://git.kernel.org/stable/c/65168712c216584ff482a7d1a67589f2079b2634
https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb
https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8
https://git.kernel.org/stable/c/dff081c3602f2fd810f69ef47945a226980dd05d
https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae

cvelogic Threat Intelligence