Skip to main content

Linux Kernel CVE-2026-52934

| EUVDEUVD-2026-38704 HIGH
2026-06-24 Linux GHSA-w473-pp3w-rqc2
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.7 MEDIUM

Triggering requires >64KB of attacker-influenceable TVLV container state on a mesh-enabled node, so AC:H and PR:H; an out-of-bounds write impacts integrity/availability (I:H/A:H), not confidentiality (C:N).

3.1 AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:27 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.8 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers.

The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.

AnalysisAI

Kernel heap memory corruption affects the batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem of the Linux kernel, where a u16 accumulator in batadv_tvlv_container_list_size() can wrap around when the total size of registered TVLV containers exceeds 65535 bytes, leading to an undersized allocation and a subsequent out-of-bounds memcpy write in batadv_tvlv_container_ogm_append(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join adjacent batman-adv mesh segment
Delivery
Drive TVLV container registration past 64KB
Exploit
Overflow u16 size accumulator
Execution
Trigger undersized OGM buffer allocation
Persist
Out-of-bounds memcpy into kernel heap
Impact
Corrupt kernel memory (DoS or code execution)

Vulnerability AssessmentAI

Exploitation Exploitation requires the batman-adv kernel module to be loaded with an active mesh (bat0) interface - the vulnerable batadv_tvlv_container_ogm_append() path does not exist otherwise. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and partly conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can participate in or influence a batman-adv mesh deployment drives the registration of TVLV containers until their cumulative size exceeds 65535 bytes; when the node next builds an OGM, the 16-bit size computation wraps, a too-small buffer is allocated, and the container copy writes past it, corrupting kernel heap memory and crashing the node or potentially enabling controlled corruption. No public proof-of-concept is identified at time of analysis, and the adjacent-network vector (AV:A) plus the large accumulation requirement make this a targeted, specialized scenario rather than a turnkey remote exploit.
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.93, 6.18.34, 7.0.11, or 7.1 (or later within each series), which widen batadv_tvlv_container_list_size() to size_t and add the U16_MAX guard. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Linux with batman-adv mesh routing enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy