Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Requires adjacent mesh reach and an active tp_meter receiver session (AV:A/AC:H); uninitialized reads yield limited memory disclosure (C:L) and possible kernel crash (A:L), no integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: tp_meter: avoid use of uninit sender vars
batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior.
This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet.
Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.
AnalysisAI
Use of uninitialized sender variables in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module allows a malicious mesh peer to trigger undefined behavior on a node acting as a tp_meter receiver. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the batman-adv module to be loaded and the target node to be an active participant in an ongoing tp_meter (throughput meter) session in the BATADV_TP_RECEIVER role; the attacker must be able to inject a crafted tp_meter ACK packet onto the same layer-2 batman-adv mesh that reaches the victim. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are sharply conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has joined or spoofed a node on a batman-adv mesh waits for (or induces) a victim node to participate as a tp_meter receiver, then sends a crafted/malicious tp_meter ACK packet. The victim's kernel runs sender-only ACK-handling logic against the receiver session, dereferencing uninitialized tp_vars members and leaking kernel memory or panicking. … |
| Remediation | Apply the vendor-released stable kernel updates: upgrade to 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1, or later as appropriate to your branch (Vendor-released patch: see fixed versions above), and reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running batman-adv and identify which stable kernel versions are in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38701
GHSA-xwx9-x5x2-3cmw