Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
batman-adv is an L2 mesh protocol so AV:A; the crash needs an skb-copy allocation failure under memory pressure that the attacker cannot force, so AC:H; availability-only impact gives A:H, C/I:N.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: dat: handle forward allocation error
batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the return value before passing it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences the skb unconditionally, so a failed allocation triggers a NULL pointer dereference.
Skip forwarding to the current DHT candidate on allocation failure.
AnalysisAI
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be running a Linux kernel built with batman-adv (CONFIG_BATMAN_ADV) AND have the Distributed ARP Table (DAT) feature enabled on a mesh interface - DAT is the exact feature whose forwarding path (batadv_dat_forward_data) contains the bug. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward low real-world priority despite the High (7.5) CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connected to a batman-adv mesh network sends a stream of ARP traffic that the local node forwards through the Distributed ARP Table to DHT candidate nodes. While the target is under memory pressure, pskb_copy_for_clone() fails during forwarding and the unchecked NULL skb is dereferenced, crashing the kernel (denial of service). … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, or 7.1 (or later in each series), matching your running branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running batman-adv and confirm whether mesh networking is deployed in production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38725
GHSA-jv9r-93q3-fcf8