Skip to main content

Linux Kernel CVE-2026-46212

| EUVDEUVD-2026-32839 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3qfg-xvm7-p66x
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:08 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bla: prevent use-after-free when deleting claims

When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().

But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.

AnalysisAI

Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.

Technical ContextAI

The bug lives in net/batman-adv, the Linux kernel implementation of the B.A.T.M.A.N. Advanced (batadv) Layer-2 mesh routing protocol, specifically in the Bridge Loop Avoidance (BLA) component that tracks 'claims' linking client MAC addresses to backbone gateways. The function batadv_bla_del_backbone_claims() iterates the claim hash to drop entries, but invokes batadv_claim_put() - which decrements the refcount and may trigger batadv_claim_release() to free the object via RCU/kfree - before the final dereference of the claim during list removal, producing a classic use-after-free (CWE-416 class, though NVD reports CWE as N/A). The affected code path runs in kernel context with full privileges, and the bug is reachable whenever batman-adv is loaded and participating in a mesh - common on OpenWrt-based community mesh networks, embedded routers, and IoT/edge deployments.

RemediationAI

Apply the vendor-released patch by upgrading to a fixed Linux kernel: 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc4 or later, using the stable-tree commits 00155f336a5e, 0cc9847c64cb, 368449e467d5, 4ae1709a3140, or 6c5dc6d68e6b at git.kernel.org/stable. For systems that cannot be rebooted immediately, the most effective compensating control is to unload or blacklist the batman-adv kernel module (modprobe -r batman_adv; add 'blacklist batman-adv' to /etc/modprobe.d/) on hosts that do not participate in a mesh - this fully removes the attack surface but breaks any mesh networking that depends on it. For hosts that must run batman-adv, restrict physical/L2 access to the mesh segment and avoid bridging untrusted networks into batadv interfaces, since the AV:A vector requires the attacker to be on the same broadcast domain; this does not eliminate risk but reduces exposure to known peers. Monitor dmesg for KASAN UAF reports on batadv_claim_release as an indicator of exploitation attempts on debug kernels.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy