Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Malformed fragments arrive over the layer-2 mesh so AV:A; no auth or interaction needed beyond mesh participation (PR:N/UI:N); upstream describes availability-only DoS, so C:N/I:N/A:H.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix fragment reassembly length accounting
batman-adv keeps a running payload length for queued fragments and uses it to validate a fragment chain before reassembly.
That accounting currently allows the accumulated fragment length to be truncated during updates. As a result, malformed fragment chains can bypass the intended validation and drive reassembly with inconsistent length state, leading to a local denial of service.
Fix the accounting by storing the accumulated length in a length-typed field and rejecting update overflows before the existing validation logic runs.
The fix was verified against the original reproducer and against valid fragment reassembly paths.
AnalysisAI
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target kernel to be built with CONFIG_BATMAN_ADV and have the batman-adv module loaded and actively participating in a B.A.T.M.A.N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict sharply and should not be taken at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the same batman-adv mesh segment (a rogue or compromised mesh node) crafts a malformed fragment chain whose advertised lengths trigger the truncated length accounting on a peer. The victim kernel reassembles with inconsistent length state and crashes or hangs, causing a denial of service on that node. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, or 7.1 (or your distribution's backported equivalent), referencing the kernel.org commits such as https://git.kernel.org/stable/c/e4f3f6b818aa6a678bc54a2d4e0bece2303c6a64 and https://git.kernel.org/stable/c/37be61825b15534a16ff9cfc9546de155b6df982. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running batman-adv kernel module across data centers and edge infrastructure; verify patch availability through kernel vendor advisories. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38717
GHSA-637x-w8p5-96wm