Skip to main content

Linux Kernel CVE-2026-46206

| EUVDEUVD-2026-32833 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qgq4-qmm7-r3p4
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:06 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: reject new tp_meter sessions during teardown

Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.

AnalysisAI

Local privilege escalation risk in the Linux kernel's batman-adv mesh networking module allows authenticated local users to trigger memory corruption by initiating new tp_meter throughput measurement sessions during mesh teardown. The flaw exists because the tp_meter subsystem failed to reject new sender/receiver sessions after mesh_state transitioned out of BATADV_MESH_ACTIVE, creating a race condition during module shutdown. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%.

Technical ContextAI

The vulnerability resides in batman-adv (Better Approach To Mobile Ad-hoc Networking, advanced), a Linux kernel module implementing layer-2 mesh routing for wireless mesh networks. The tp_meter component is a throughput measurement tool used to test bandwidth between mesh nodes. The bug is a teardown race: when the mesh interface leaves BATADV_MESH_ACTIVE state, new tp_meter sessions could still be created against partially-deallocated state, a classic use-after-free or invalid-state class issue (no CWE assigned by NVD). The fix, landed across commits 32435435..., ca39545c..., e1e2194c..., e4a3c4a4..., and ff93f86e..., adds an explicit state check to reject session creation outside active mesh state.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc4 (or any later stable release in those series) which contain the fix that rejects new tp_meter sessions once mesh_state is no longer BATADV_MESH_ACTIVE. Distribution users should track their vendor's kernel updates (Debian, Ubuntu, RHEL, SUSE) that backport these stable commits. As a compensating control if patching is delayed, unload or blacklist the batman_adv kernel module on systems that do not use mesh networking (modprobe -r batman_adv; add to /etc/modprobe.d/blacklist), which fully eliminates the attack surface but breaks any batman-adv mesh functionality; alternatively, restrict CAP_NET_ADMIN and disable user access to the batctl tp_meter command on multi-user systems to remove the trigger path, at the cost of losing throughput measurement capability for legitimate operators. Patch commits are at git.kernel.org/stable/c/ff93f86ecbb50a4709c403fc279a396e308edde5 and its backports.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy