Skip to main content

Linux Kernel CVE-2026-31657

| EUVDEUVD-2026-25550 CRITICAL
NULL Pointer Dereference (CWE-476)
2026-04-24 Linux GHSA-w24x-3wrx-8q34
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:16 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:41 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25550
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:45 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: hold claim backbone gateways by reference

batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer.

The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern.

Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.

AnalysisAI

Use-after-free in Linux kernel batman-adv (B.A.T.M.A.N. Advanced mesh networking) allows remote network attackers to trigger memory corruption and potentially execute arbitrary code. The batadv_bla_add_claim() function can prematurely drop a gateway reference while readers still access the pointer, causing netlink dump and claim-check paths to dereference freed memory. Despite CVSS 9.8 critical rating, exploitation probability is low (EPSS 2%, 7th percentile), no active exploitation confirmed, and patches available across kernel stable branches 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0.

Technical ContextAI

Batman-adv is the Linux kernel implementation of B.A.T.M.A.N. Advanced, a mesh networking protocol for multi-hop ad-hoc networks. The Bridge Loop Avoidance (BLA) subsystem prevents loops when mesh networks are bridged to LANs. The vulnerability exists in BLA's claim reference counting: batadv_bla_add_claim() replaces claim->backbone_gw pointers without holding references, creating a classic use-after-free race. The netlink dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock, and batadv_bla_check_claim() follows the same naked pointer pattern. Both paths can access freed gateway structures if another thread drops the last reference. The fix introduces batadv_bla_claim_get_backbone_gw() to pin gateway references during read operations, enforcing lifetime rules already used elsewhere in BLA claim handling. This is a kernel memory safety issue rooted in improper reference management during concurrent operations on shared data structures.

RemediationAI

Primary fix: upgrade to patched kernel versions 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, or 7.0+ depending on your stable branch. Patches introduce proper reference counting via batadv_bla_claim_get_backbone_gw() to prevent use-after-free during concurrent claim operations. For systems requiring batman-adv but unable to immediately patch, temporary workaround is to disable Bridge Loop Avoidance via 'batctl bridge_loop_avoidance 0' on all mesh nodes - this eliminates the vulnerable code path but removes loop protection, requiring network topology redesign to avoid bridging loops manually (do not connect mesh to multiple LAN segments). This workaround severely limits deployment flexibility and is only viable for simple tree topologies. Alternatively, unload batman-adv module entirely if mesh networking is not mission-critical ('rmmod batman_adv'), but this disables all mesh functionality. For distributions, check vendor security advisories: Debian DSA/DLA, Ubuntu USN, RHEL RHSA, SUSE updates will backport fixes to their kernel packages. Verify patch application with 'grep batadv_bla_claim_get_backbone_gw /proc/kallsyms' (should show the new function). No kernel command-line mitigations exist for this vulnerability.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy