Skip to main content

Linux Kernel CVE-2026-52922

| EUVDEUVD-2026-38725 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-jv9r-93q3-fcf8
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

batman-adv is an L2 mesh protocol so AV:A; the crash needs an skb-copy allocation failure under memory pressure that the attacker cannot force, so AC:H; availability-only impact gives A:H, C/I:N.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:24 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: dat: handle forward allocation error

batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the return value before passing it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences the skb unconditionally, so a failed allocation triggers a NULL pointer dereference.

Skip forwarding to the current DHT candidate on allocation failure.

AnalysisAI

Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join batman-adv mesh fabric
Delivery
Inject forwarded ARP/DAT traffic
Exploit
Hit pskb_copy_for_clone failure under memory pressure
Execution
NULL skb dereferenced in unicast prepare
Impact
Kernel oops / denial of service

Vulnerability AssessmentAI

Exploitation The target must be running a Linux kernel built with batman-adv (CONFIG_BATMAN_ADV) AND have the Distributed ARP Table (DAT) feature enabled on a mesh interface - DAT is the exact feature whose forwarding path (batadv_dat_forward_data) contains the bug. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward low real-world priority despite the High (7.5) CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connected to a batman-adv mesh network sends a stream of ARP traffic that the local node forwards through the Distributed ARP Table to DHT candidate nodes. While the target is under memory pressure, pskb_copy_for_clone() fails during forwarding and the unchecked NULL skb is dereferenced, crashing the kernel (denial of service). …
Remediation Vendor-released patch: upgrade to a fixed Linux stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, or 7.1 (or later in each series), matching your running branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running batman-adv and confirm whether mesh networking is deployed in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52922 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy