Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only vector confirmed; PR:L reflects that triggering batman-adv teardown requires at minimum low-privilege local access; no confidentiality or integrity impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: clear current gateway during teardown
batadv_gw_node_free() removes the gateway list entries during mesh teardown, but it does not clear the currently selected gateway. This leaves stale gateway state behind across cleanup and can break a later mesh recreation.
Clear bat_priv->gw.curr_gw before walking the gateway list so the selected gateway reference is dropped as part of teardown.
AnalysisAI
Stale gateway pointer in the Linux kernel's batman-adv mesh networking subsystem causes availability failures during mesh teardown and recreation. The batman-adv gateway cleanup function batadv_gw_node_free() frees gateway list entries without clearing bat_priv->gw.curr_gw, leaving a dangling reference that persists across cleanup and breaks subsequent mesh recreation attempts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) local access to the target system with at least low-privilege credentials (CVSS PR:L); (2) the batman-adv kernel module must be loaded and in active use - this is a non-default configuration present only on mesh networking deployments; (3) the attacker or an administrator must trigger a mesh teardown cycle followed by a mesh recreation attempt to dereference the stale pointer. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low despite the High availability impact rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with low-privilege access on a system running batman-adv mesh networking creates a mesh interface, then triggers teardown of the mesh - either through legitimate administrative action or by manipulating network namespace teardown. The stale `curr_gw` pointer left in `bat_priv->gw.curr_gw` is subsequently dereferenced during an attempt to recreate or reinitialize the mesh, causing a kernel panic or undefined behavior and resulting in a system availability impact. … |
| Remediation | Upgrade to a patched stable kernel release: 5.10.258 or later for the 5.10 LTS branch, 5.15.209 or later for the 5.15 LTS branch, 6.1.175 or later for the 6.1 LTS branch, 6.6.142 or later for the 6.6 LTS branch, 6.12.92 or later for the 6.12 branch, 6.18.34 or later for the 6.18 branch, 7.0.11 or later for the 7.0 branch, or 7.1 and later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38729
GHSA-r223-r4pf-42r9