CVE-2026-43491
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/05/2026
Last modified:
26/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: qrtr: ns: Limit the maximum server registration per node<br />
<br />
Current code does no bound checking on the number of servers added per<br />
node. A malicious client can flood NEW_SERVER messages and exhaust memory.<br />
<br />
Fix this issue by limiting the maximum number of server registrations to<br />
256 per node. If the NEW_SERVER message is received for an old port, then<br />
don&#39;t restrict it as it will get replaced. While at it, also rate limit<br />
the error messages in the failure path of qrtr_ns_worker().<br />
<br />
Note that the limit of 256 is chosen based on the current platform<br />
requirements. If requirement changes in the future, this limit can be<br />
increased.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/35fb4a0c077c5d1049c2628b769e0a1b1e65df0d
- https://git.kernel.org/stable/c/3efaad55cad1ded429e3a873bfece389058a526b
- https://git.kernel.org/stable/c/868202aa2adae427060a42d5bd663b4d782ec02c
- https://git.kernel.org/stable/c/d5ee2ff98322337951c56398e79d51815acbf955
- https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7



