Skip to main content

Linux Kernel CVE-2026-52931

| EUVDEUVD-2026-38701 CRITICAL
2026-06-24 Linux GHSA-xwx9-x5x2-3cmw
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.2 MEDIUM

Requires adjacent mesh reach and an active tp_meter receiver session (AV:A/AC:H); uninitialized reads yield limited memory disclosure (C:L) and possible kernel crash (A:L), no integrity impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:26 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tp_meter: avoid use of uninit sender vars

batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior.

This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet.

Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.

AnalysisAI

Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join or spoof batman-adv mesh node
Delivery
Identify victim in active tp_meter receiver session
Exploit
Send crafted malicious tp_meter ACK
Execution
Kernel runs sender-only path on uninit vars
Impact
Leak kernel memory or crash node

Vulnerability AssessmentAI

Exploitation Exploitation requires the batman-adv module to be loaded and the target node to be an active participant in an ongoing tp_meter (throughput meter) session in the BATADV_TP_RECEIVER role; the attacker must be able to inject a crafted tp_meter ACK packet onto the same layer-2 batman-adv mesh that reaches the victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are sharply conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has joined or spoofed a node on a batman-adv mesh waits for (or induces) a victim node to participate as a tp_meter receiver, then sends a crafted/malicious tp_meter ACK packet. The victim's kernel runs sender-only ACK-handling logic against the receiver session, dereferencing uninitialized tp_vars members and leaking kernel memory or panicking. …
Remediation Apply the vendor-released stable kernel updates: upgrade to 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1, or later as appropriate to your branch (Vendor-released patch: see fixed versions above), and reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running batman-adv and identify which stable kernel versions are in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy