CVE-2026-43491 · In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current

01 · The Real Story

This is a kernel guestbook with no page limit, but only in a side room most enterprises never open

CVE-2026-43491 is an unbounded resource-allocation bug in Linux QRTR name service handling (net/qrtr/ns.c). A malicious client can keep sending NEW_SERVER registrations with new ports, and the kernel keeps allocating tracking objects until memory pressure or OOM becomes the real payload. Upstream metadata ties the bug to code introduced by commit 0c2204a4ad71 and semver exposure starting at Linux 5.7; upstream-fixed lines are listed as 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1.

There is no vendor CVSS baseline, so this is a first-principles assessment. In practice, this lands at = ASSESSED AT MEDIUM because it is local/post-initial-access, availability-only, and feature-gated by QRTR support, which is a much smaller population than generic Linux kernel networking flaws. The kernel impact is real on affected hosts, but the reachable population is too narrow for a HIGH.

"ASSESSED AT MEDIUM: this is a local QRTR-only kernel DoS with narrow exposure and no exploitation evidence"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land on a host that actually has QRTR enabled

The attacker first needs a Linux system where the QRTR subsystem is present, typically via CONFIG_QRTR=y|m or a loaded qrtr module. This is not a generic fleet-wide assumption; QRTR is mainly relevant on Qualcomm-oriented platforms and some custom kernels.

Conditions required:

Target runs a vulnerable Linux kernel version
QRTR support is built in or loadable
Attacker has code execution on the host or in a container that can reach the host kernel socket API

Where this breaks in practice:

Most enterprise Linux servers do not rely on QRTR at all
Many distributions backport fixes without changing the upstream-looking major/minor version
Container runtimes or seccomp profiles may block unusual socket families

Detection/coverage: Traditional network scanners will miss this. Host inventory must key off kernel version/backport state plus CONFIG_QRTR/qrtr presence.

STEP 02

Open the QIPCRTR socket path

With local code execution, the attacker uses a QRTR-capable userspace client or a tiny custom program to open AF_QIPCRTR and send control messages to the kernel name service. The relevant weaponized primitive is just repeated NEW_SERVER registration traffic, not a complex exploit chain.

Conditions required:

Ability to call socket(AF_QIPCRTR, ...) and send QRTR control messages
No LSM/seccomp policy denying this socket family

Where this breaks in practice:

This is not reachable from the internet as a normal exposed service
Attackers need platform knowledge or a small purpose-built harness

Detection/coverage: eBPF/audit-based telemetry can flag processes opening the QIPCRTR socket family, but most EDR content will not have a stock rule for it.

STEP 03

Flood NEW_SERVER with unique ports

The attacker repeatedly registers new server entries so the vulnerable code allocates a new qrtr_server object per fresh port. Before the fix, there is no per-node upper bound, so memory use rises linearly with the flood.

Conditions required:

The target node continues accepting unique server registrations
Attacker can sustain a message loop long enough to create pressure

Where this breaks in practice:

CPU or memory cgroup limits can throttle a noisy local process before full host impact
On lightly privileged containers, surrounding controls may kill the abusive workload before the node crashes

Detection/coverage: No strong scanner coverage. Kernel tracing, BPF, or custom detections for high-rate QRTR registration traffic are the realistic options.

STEP 04

Turn memory pressure into service impact

Once enough allocations accumulate, the host experiences memory pressure, possible OOM kills, and noisy worker-path logging. The result is denial of service, not code execution, privilege escalation, or data theft.

Conditions required:

Sufficient host memory consumption to affect workload stability
No earlier containment from resource controls or process supervision

Where this breaks in practice:

Blast radius is usually one host, not a domain-wide compromise
Modern fleet operations often notice OOM events quickly even if they do not recognize the exact CVE

Detection/coverage: Look for OOM killer events, abrupt service restarts, qrtr_ns_worker() errors, and abnormal memory growth from a local process just before impact.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No current exploitation evidence surfaced in the reviewed sources. CISA KEV has no listing for this CVE, and no GreyNoise/Censys campaign data was found tied to it.
PoC availability	No public PoC repo was found in the reviewed primary references. The exploit path is still technically simple because the patch diff spells out the primitive: flood `NEW_SERVER` registrations with unique ports (inference from upstream patch/advisory text).
EPSS	0.024% (7th percentile) in the GitHub Advisory Database, matching the user's `0.00024` decimal form.
KEV status	Not KEV-listed. No CISA due date applies.
Severity signal from downstream vendors	Ubuntu priority: Medium. SUSE severity: moderate, CVSS 6.2 with `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`.
Affected versions	Upstream metadata marks the vulnerable code as introduced by commit `0c2204a4ad71` and semver exposure beginning at Linux 5.7, limited to kernels carrying the QRTR nameservice code.
Fixed versions	Upstream unaffected versions are listed as 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. Distros may backport earlier, so package build provenance beats `uname -r` alone.
Exposure reality	This is not an internet-edge bug. QRTR is a local IPC subsystem; Shodan/Censys/FOFA-style exposure counting is largely irrelevant because there is no normal remote listening service to fingerprint.
Platform prevalence	`CONFIG_QRTR` is Qualcomm IPC Router support, depends on `CONFIG_NET`, is selected by `CONFIG_QCOM_PD_MAPPER`, and is depended on by drivers like `ATH11K_PCI` and `ATH12K`. That points to a specialized, not universal, enterprise footprint.
Disclosure / reporter	Published 2026-05-19. Reported by Yiming Qian; fix authored upstream by Manivannan Sadhasivam and backported into stable review trees.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.9/10)

The decisive downgrade pressure is attacker position: this requires local or already-compromised execution on a host that also has the niche QRTR subsystem enabled. The bug can absolutely crash an affected machine, but its real-world exposure population is narrow and the outcome is availability-only, which keeps it out of HIGH.

HIGH Technical impact is denial of service via unbounded server registration and memory exhaustion

MEDIUM Enterprise exposure prevalence of QRTR-enabled hosts

HIGH No current KEV listing or reviewed evidence of active exploitation

Why this verdict

Requires local or already-compromised code execution: the attacker must run code on the box, or in a container with usable access to the host kernel socket API. That is post-initial-access, which is immediate downward pressure on severity.
Feature-gated population: QRTR is a specialized Qualcomm IPC subsystem, not a default enterprise edge service. Requiring CONFIG_QRTR or a loaded qrtr module sharply narrows the reachable population compared with generic kernel bugs.
Availability-only outcome: the patch addresses memory exhaustion and log noise, not privilege escalation or arbitrary code execution. Crashing a host matters, but it does not justify HIGH on its own when the attacker is already local.
No exploitation signal: EPSS is very low, the CVE is not in KEV, and the reviewed sources do not show a public exploitation campaign. That removes the main amplifier that would otherwise push an awkward local-kernel bug upward.

Why not higher?

There is no credible remote unauthenticated path here based on the reviewed sources. To get impact, the attacker already needs a foothold on a QRTR-enabled system, and the blast radius is usually one host's availability rather than cross-tenant compromise or data exposure.

Why not lower?

This is still kernel-space DoS from an unprivileged position on affected systems, which matters in shared compute, developer workstations, CI runners, and embedded Linux fleets. If QRTR is enabled and untrusted code can run locally, the bug is practical enough that writing it off as LOW would understate operational risk.

05 · Compensating Control

What to do — in priority order.

Unload or blacklist qrtr where unused — If a host does not need Qualcomm IPC Router, remove the attack surface entirely by unloading the module and blacklisting it from reload. For a MEDIUM verdict there is no mitigation SLA, but this is the cleanest exposure reduction while you work toward patching within the 365-day remediation window.
Block untrusted workloads from QIPCRTR sockets — Use seccomp, SELinux/AppArmor, or container runtime policy to deny AF_QIPCRTR from untrusted containers and local workloads. There is no mitigation SLA — go straight to the 365-day remediation window, but this is the best temporary control on shared hosts where QRTR must remain enabled.
Watch for QRTR abuse indicators — Add host detections for unusual QIPCRTR socket creation, rapid NEW_SERVER-like registration behavior, OOM-killer events, and qrtr_ns_worker() errors. For a MEDIUM issue this is containment and hunting support rather than an SLA-driven emergency mitigation.

What doesn't work

Perimeter firewalls or WAFs do nothing useful here because this is not a standard remotely exposed service vulnerability.
MFA does nothing because the exploit path is not an authentication workflow.
Version-only network scanning gives false confidence because the key questions are local attacker position, QRTR enablement, and distro backports.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host as root or with read access to /proc/config.gz, /boot/config-*, and /lib/modules. Invoke it as sudo bash ./check-cve-2026-43491.sh; it outputs VULNERABLE, PATCHED, or UNKNOWN based on QRTR presence plus the upstream fixed-version floors.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-43491.sh
# Determine practical exposure to CVE-2026-43491 on a Linux host.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

KREL="$(uname -r)"
BASE="$(printf '%s' "$KREL" | grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+' || true)"

ver_ge() {
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

ver_lt() {
  [ "$1" != "$2" ] && ! ver_ge "$1" "$2"
}

get_config_line() {
  local key="$1"
  if [ -r /proc/config.gz ]; then
    zgrep -E "^${key}=" /proc/config.gz 2>/dev/null && return 0
  fi
  if [ -r "/boot/config-$KREL" ]; then
    grep -E "^${key}=" "/boot/config-$KREL" 2>/dev/null && return 0
  fi
  if [ -r "/lib/modules/$KREL/build/.config" ]; then
    grep -E "^${key}=" "/lib/modules/$KREL/build/.config" 2>/dev/null && return 0
  fi
  return 1
}

QRTR_CFG="$(get_config_line CONFIG_QRTR || true)"
QRTR_PRESENT=no
QRTR_REASON=""

if printf '%s' "$QRTR_CFG" | grep -qE '^CONFIG_QRTR=(y|m)$'; then
  QRTR_PRESENT=yes
  QRTR_REASON="CONFIG_QRTR enabled"
elif lsmod 2>/dev/null | awk '{print $1}' | grep -qx 'qrtr'; then
  QRTR_PRESENT=yes
  QRTR_REASON="qrtr module loaded"
elif modinfo qrtr >/dev/null 2>&1; then
  QRTR_PRESENT=yes
  QRTR_REASON="qrtr module available"
fi

if [ "$QRTR_PRESENT" = no ]; then
  echo "PATCHED - QRTR support not detected (CONFIG_QRTR absent and qrtr module not present/loaded)"
  exit 0
fi

if [ -z "$BASE" ]; then
  echo "UNKNOWN - unable to parse kernel version from uname -r: $KREL; $QRTR_REASON"
  exit 2
fi

# Upstream unaffected floors from published CVE metadata:
# 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
# Distros may backport earlier, so unsupported/custom branches remain UNKNOWN.

if ver_lt "$BASE" "5.7.0"; then
  echo "PATCHED - kernel base version $BASE predates the vulnerable semver range; $QRTR_REASON"
  exit 0
fi

case "$BASE" in
  6.6.*)
    if ver_ge "$BASE" "6.6.140"; then
      echo "PATCHED - upstream fixed floor met on 6.6.y ($BASE >= 6.6.140); $QRTR_REASON"
      exit 0
    else
      echo "VULNERABLE - upstream 6.6.y kernel below fixed floor ($BASE < 6.6.140); $QRTR_REASON"
      exit 1
    fi
    ;;
  6.12.*)
    if ver_ge "$BASE" "6.12.86"; then
      echo "PATCHED - upstream fixed floor met on 6.12.y ($BASE >= 6.12.86); $QRTR_REASON"
      exit 0
    else
      echo "VULNERABLE - upstream 6.12.y kernel below fixed floor ($BASE < 6.12.86); $QRTR_REASON"
      exit 1
    fi
    ;;
  6.18.*)
    if ver_ge "$BASE" "6.18.27"; then
      echo "PATCHED - upstream fixed floor met on 6.18.y ($BASE >= 6.18.27); $QRTR_REASON"
      exit 0
    else
      echo "VULNERABLE - upstream 6.18.y kernel below fixed floor ($BASE < 6.18.27); $QRTR_REASON"
      exit 1
    fi
    ;;
  7.0.*)
    if ver_ge "$BASE" "7.0.4"; then
      echo "PATCHED - upstream fixed floor met on 7.0.y ($BASE >= 7.0.4); $QRTR_REASON"
      exit 0
    else
      echo "VULNERABLE - upstream 7.0.y kernel below fixed floor ($BASE < 7.0.4); $QRTR_REASON"
      exit 1
    fi
    ;;
  7.1.*|7.2.*|7.3.*|8.*)
    echo "PATCHED - mainline/newer than the original fix point (>= 7.1 line); $QRTR_REASON"
    exit 0
    ;;
  *)
    echo "UNKNOWN - QRTR is present, but $BASE is a branch where backports/custom vendor patching must be checked against distro advisories; $QRTR_REASON"
    exit 2
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like an internet-edge fire drill. First inventory which Linux assets actually have QRTR enabled or loaded, then isolate the subset that also run untrusted local code such as shared hosts, CI runners, developer workstations, or container nodes. Because this is MEDIUM, there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; use module blacklisting or socket-family restrictions where practical, but the real deadline is the noisgate remediation SLA of ≤ 365 days to land the vendor-backed kernel update or distro backport. If your environment has Qualcomm-heavy embedded fleets or hostile multi-tenant Linux, accelerate inside that window even though the global fleet priority stays medium.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.