Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Triggering requires >64KB of attacker-influenceable TVLV container state on a mesh-enabled node, so AC:H and PR:H; an out-of-bounds write impacts integrity/availability (I:H/A:H), not confidentiality (C:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: tvlv: reject oversized TVLV packets
batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers.
The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
AnalysisAI
Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the batman-adv kernel module to be loaded with an active mesh (bat0) interface - the vulnerable batadv_tvlv_container_ogm_append() path does not exist otherwise. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and partly conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can participate in or influence a batman-adv mesh deployment drives the registration of TVLV containers until their cumulative size exceeds 65535 bytes; when the node next builds an OGM, the 16-bit size computation wraps, a too-small buffer is allocated, and the container copy writes past it, corrupting kernel heap memory and crashing the node or potentially enabling controlled corruption. No public proof-of-concept is identified at time of analysis, and the adjacent-network vector (AV:A) plus the large accumulation requirement make this a targeted, specialized scenario rather than a turnkey remote exploit. |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.93, 6.18.34, 7.0.11, or 7.1 (or later within each series), which widen batadv_tvlv_container_list_size() to size_t and add the U16_MAX guard. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Linux with batman-adv mesh routing enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38704
GHSA-w473-pp3w-rqc2