Skip to main content

Linux Kernel CVE-2026-52916

| EUVDEUVD-2026-38719 MEDIUM
2026-06-24 Linux GHSA-7cg4-79f4-7w2g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Batman-adv is an adjacent-network layer 2 mesh protocol; any mesh participant sends crafted frames without credentials, causing pure kernel crash.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 16:01 vuln.today
CVSS changed
Jul 08, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: frag: disallow unicast fragment in fragment

batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload.

A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted.

Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

AnalysisAI

Stack exhaustion in the Linux kernel batman-adv mesh networking subsystem allows an attacker on the same batman-adv mesh to crash the kernel by sending matryoshka-nested BATADV_UNICAST_FRAG packets. The reassembled payload's packet type is not validated before re-processing, enabling unbounded recursion in batadv_batman_skb_recv() that exhausts kernel stack and causes a hard system crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Join batman-adv mesh network segment
Delivery
Craft deeply nested BATADV_UNICAST_FRAG packet
Exploit
Transmit crafted frame to victim node
Install
Victim reassembles outer fragment
C2
Reassembled payload re-enters batadv_batman_skb_recv() recursively
Execute
Kernel stack exhausted
Impact
Kernel panic and system crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the batman-adv kernel module (batman-adv.ko) to be loaded and at least one network interface assigned to a batman-adv mesh instance on the victim system. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score is 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting a local, low-privilege, high-availability-impact vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has joined a batman-adv mesh network constructs a BATADV_UNICAST_FRAG packet whose fragment reassembly yields another valid BATADV_UNICAST_FRAG packet, repeating this nesting to an arbitrary depth. When the victim kernel processes this sequence, batadv_batman_skb_recv() recurses without bound through each nesting level, consuming kernel stack space until the stack overflows and the system panics. …
Remediation Vendor-released patches are available across all active stable kernel branches. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52916 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy