目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-52947— Net: qrtr 端口移除引用计数饱和及潜在UAF漏洞

EPSS 0.18% · P8
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-52947 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove In qrtr_port_remove(), the socket reference count is decremented via __sock_put() before the port is removed from the qrtr_ports XArray and before the RCU grace period elapses. This breaks the fundamental RCU update paradigm. It exposes a race window where a concurrent RCU reader (such as qrtr_reset_ports() or qrtr_port_lookup()) can obtain a pointer to the socket from the XArray, and attempt to call sock_hold() on a socket whose reference count has already dropped to zero. This exact race condition was hit during syzkaller fuzzing, leading to the following refcount saturation warning and a potential Use-After-Free: refcount_t: saturated; leaking memory. WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0 Modules linked in: qrtr(+) bochs drm_shmem_helper ... Call Trace: <TASK> qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr] __qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr] qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr] kernel_bind+0xe4/0x120 net/socket.c:3592 qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr] qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr] do_one_initcall+0xf5/0x5e0 init/main.c:1283 ... </TASK> Fix this by deferring the reference count decrement until after the xa_erase() and the synchronize_rcu() complete. (Note: The v1 of this patch incorrectly replaced __sock_put() with sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove() still hold a reference to the socket, so freeing the socket memory here would lead to a subsequent UAF in the caller. Thus, the __sock_put() is kept, but only repositioned to close the RCU race.)
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux bdabad3e363d825ddf9679dd431cca0b2c30f881 ~ 2aa4c12723fe432e623462a3be42a197a128722b -
LinuxLinux 4.7 -

二、漏洞 CVE-2026-52947 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-52947 的情报信息

登录查看更多情报信息。

CVE-2026-52947 补丁与修复 (6)

CVE-2026-52947 其他参考 (2)

同批安全公告 · Linux · 2026-06-24 · 共 219 条

CVE-2026-52979net: psp: 创建关联时检查设备注销
CVE-2026-52992adfs_validate_bblk() 未验证 nzones 漏洞
CVE-2026-52993TIPC tipc_buf_append() 双重释放漏洞
CVE-2026-52991sched/psi 文件释放与压力写入间竞态条件漏洞
CVE-2026-52990fsnotify inode引用泄漏漏洞
CVE-2026-52988netfilter: nf_tables 在提交阶段使用 splice_list_rcu() 加入钩子列表
CVE-2026-52989nvmet-tcp 传播 nvmet_tcp_build_pdu_iovec() 错误到调用者
CVE-2026-52987AMD GPU 驱动用户队列验证中双重释放漏洞
CVE-2026-52986netfilter nf_conntrack_sip 漏洞
CVE-2026-52985netdevsim 虚拟网卡 iphdr结构体未初始化漏洞
CVE-2026-52984Linux netem 队列限制检查漏洞
CVE-2026-52982Realtek RTL8150 网卡 use-after-free 漏洞
CVE-2026-52983Airoha网络驱动TX路径BQL失衡漏洞
CVE-2026-52981内核neigh模块skb所有权管理漏洞
CVE-2026-52969KVM: kvm_reset_dirty_gfn() 回绕偏移拒绝漏洞
CVE-2026-52971ena: get_timestamp中潜在Use-after-Free漏洞
CVE-2026-52972crypto: af_alg - AEAD附加数据长度限制漏洞
CVE-2026-52970nft_ct: obj eval缺失expect put导致漏洞
CVE-2026-52973futex: 移除私有默认哈希分配中CLONE_THREAD要求
CVE-2026-52968KVM s390 PCI GAIT表索引双重缩放指针算法定位漏洞

显示前 20 条,共 219 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-52947

暂无评论


发表评论