Skip to main content

Linux Kernel EUVDEUVD-2026-32756

| CVE-2026-46238 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vhmf-xjjg-5pxr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:10 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: stop caching unowned originator pointers in BAT IV

BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.

Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.

[sven: avoid bonding logic for outgoing OGM]

AnalysisAI

Use-after-free risk in the Linux kernel's batman-adv BAT IV mesh routing implementation allows adjacent network attackers to potentially corrupt memory or disclose information by triggering stale originator pointer dereferences. The flaw affects neigh_node structures that cached an auxiliary originator pointer not owned by the neighbor state, which could dangle after purge handling. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%, but the CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability if triggered.

Technical ContextAI

batman-adv (B.A.T.M.A.N. Advanced) is a Linux kernel module implementing the Better Approach To Mobile Ad-hoc Networking protocol at layer 2, used in mesh networking deployments such as community wireless networks and IoT mesh fabrics. The BAT IV routing algorithm tracks neighbors via neigh_node structures that store the last-hop neighbor MAC address; however, some code paths additionally cached an originator pointer derived from a temporary lookup that the neigh_node did not hold a reference to. When the periodic purge handler removed the originator entry, the cached pointer became stale, producing a classic use-after-free condition (CWE-416 class, though CWE field was not assigned in the input). The fix removes the auxiliary pointer entirely and re-resolves the originator from the stored MAC address on demand, releasing the reference after use.

RemediationAI

Vendor-released patches are available: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4, or later according to your kernel branch, using the upstream stable commits at git.kernel.org/stable/c/aafcbaf1159ea224528ca4075d0ba8c10ef374af and the four sibling commits (09dc0d1a, 67bceeb2, 6e20700f, f03e8583). For systems that cannot immediately patch, the most effective compensating control is to unload the batman-adv kernel module (rmmod batman_adv) and blacklist it via /etc/modprobe.d if mesh networking is not required - this fully eliminates the attack surface but disables any dependent mesh interfaces. If batman-adv must remain loaded, restrict physical and wireless access to the mesh segment, since the AV:A attack vector requires adjacency; consider isolating mesh interfaces on dedicated VLANs or radios and disabling promiscuous originator advertisement from untrusted peers. No userland-only workaround can fully mitigate a kernel use-after-free, so patching remains the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy