Skip to main content

Linux Kernel EUVDEUVD-2026-32835

| CVE-2026-46208 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jpxw-c2j5-6fpx
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:06 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: stop tp_meter sessions during mesh teardown

TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.

A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.

AnalysisAI

Use-after-free / race condition in the Linux kernel's batman-adv mesh networking module allows a local low-privileged attacker to trigger memory corruption by exploiting unsynchronized tp_meter sessions during mesh interface teardown. The flaw stems from batadv_mesh_free() not draining active tp_meter sessions before shutdown, letting sender threads or late-arriving packets operate on a destroyed mesh instance. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02%.

Technical ContextAI

The vulnerability resides in batman-adv (B.A.T.M.A.N. Advanced), a Layer 2 mesh routing protocol implemented as a Linux kernel module. The tp_meter (throughput meter) subsystem maintains sessions on the bat_priv->tp_list structure to measure link throughput between mesh nodes. The root cause is a missing lifecycle synchronization: netlink requests can register tp_meter sessions, and these sessions persist beyond the netlink call, but the mesh teardown path in batadv_mesh_free() does not wait for sender threads to complete or drain pending packets. This creates a classic use-after-free / race condition pattern (CWE-416 / CWE-362 family, though CWE was not assigned) where kernel code references freed mesh state. CWE was not provided in the input data.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 7.1-rc4 or later on mainline, or to stable releases 7.0.9, 6.18.32, 6.12.90, or 6.6.140 depending on the deployed branch; commits are published at https://git.kernel.org/stable/c/8634c1dbd73adb74d40533ebb7e914efb82e71fb and the four sibling stable backport commits referenced above. For systems where kernel upgrade is not immediately feasible, unload the batman-adv module (rmmod batman_adv) if mesh networking is not required, with the side effect of disabling any active B.A.T.M.A.N. mesh interfaces; alternatively, blacklist the module in /etc/modprobe.d/ to prevent autoload. Where batman-adv must remain in use, restrict CAP_NET_ADMIN and netlink access to trusted administrators only and avoid concurrent tp_meter operations with mesh interface teardown, accepting that this is only a partial mitigation since the race window can still be hit by privileged users or scripts. Refer to NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-46208 for tracking.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy