Skip to main content

Linux Kernel CVE-2026-46198

| EUVDEUVD-2026-32825 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-633g-3jmf-hx7h
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:04 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix integer overflow on buff_pos

Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.

AnalysisAI

Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.

Technical ContextAI

batman-adv is the kernel-space implementation of the B.A.T.M.A.N. (Better Approach To Mobile Ad-hoc Networking) advanced routing protocol, used in wireless mesh networks and projects such as Freifunk and OpenWrt community deployments. The bug lives in batadv_iv_ogm_send_to_if and the helper batadv_iv_ogm_aggr_packet, which aggregate multiple OGM packets into a single Layer 2 frame; the aggregation walks the buffer using buff_pos (signed 16-bit, s16), while the bounds check uses a wider int type. Because s16 silently wraps around 32767, the validated int comparison can succeed while buff_pos has wrapped to a negative or unexpectedly small value, causing the parser/sender to read past the intended buffer - a classic CWE-190 (integer overflow) leading to CWE-125 (out-of-bounds read). The defect was introduced with commit c6c8fea29769 (the original batman-adv merge in 2.6.38) and persisted across all stable branches until the cited fix commits.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.140, 6.12.90, 6.18.32, or 7.1-rc4 (mainline) or later, applying the upstream commits 0799e5943611, 974542d1efc4, b252797bfced, f61499359fa5, or bf872db54f91 as referenced at https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd and the four companion git.kernel.org links. For systems that cannot reboot immediately, unload the batman-adv module with 'modprobe -r batman_adv' and blacklist it in /etc/modprobe.d/ if mesh routing is not required - the trade-off is total loss of B.A.T.M.A.N. mesh functionality on that host. Where mesh networking is mandatory, restrict batman-adv interfaces to trusted physical/wireless segments and apply L2 filtering to limit which neighbors can inject OGM frames, accepting that this reduces the dynamic-discovery benefits of an open mesh.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy