Skip to main content

Linux Kernel CVE-2026-46233

| EUVDEUVD-2026-32751 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vvwr-mg55-mhmm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires concurrent timing of two kernel paths (AC:H); local low-privilege shell needed (PR:L); kernel panic produces availability-only impact with no confidentiality or integrity compromise.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:42 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bla: only purge non-released claims

When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.

To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.

AnalysisAI

NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).

Technical ContextAI

The vulnerability resides in the batman-adv kernel module (B.A.T.M.A.N. Advanced mesh networking protocol), specifically in the Bridge Loop Avoidance subsystem responsible for preventing Ethernet bridge loops across multi-homed mesh networks. batadv_bla_purge_claims() iterates the internal claim hash table using rcu_read_lock(), which serializes against RCU grace periods but does not block concurrent object modification. The parallel code path batadv_claim_put() → batadv_claim_release() sets backbone_gw to NULL as the first step of teardown, before the deferred RCU kfree() executes. Because the purge function performs no reference-count validity check before calling batadv_bla_claim_get_backbone_gw(), it can dereference a NULL pointer on a claim that is concurrently being freed. CWE-476 (NULL Pointer Dereference) applies, rooted in a classic TOCTOU race: the claim appears valid during list traversal but transitions to a partially-released state before use. CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel across multiple stable branches, with the vulnerable code introduced at commit 23721387c409087fd3b97e274f34d3ddc0970b74 (Linux 3.5 era).

RemediationAI

Upgrade to a patched Linux kernel: 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc4 or later. Upstream fix commits are available at git.kernel.org/stable: cf6b604011591865ae39ac82de8978c1120d17af, ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d, 7b8fbcee3184d848b5aee085ca16d0cf05c9b641, 7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe, and b65365d2b1e6095c538d49baeb140dd1c166c1b3. Distribution vendors (Red Hat, Debian, Ubuntu, SUSE) should be consulted for backported stable patches. If immediate kernel upgrade is not feasible, disabling the batman-adv module entirely via 'rmmod batman-adv' or blacklisting it in /etc/modprobe.d/ eliminates the attack surface completely - note this disables all batman-adv mesh networking functionality, which is the intended trade-off on non-mesh hosts. Restricting local shell access to trusted users further reduces exploitation opportunity given the PR:L requirement. Systems that do not use batman-adv mesh networking require no action beyond routine kernel maintenance.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy