The batman-adv driver in the Linux kernel builds the allocation length for a global TT response in 16‑bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65 535 and wrap before kmalloc() is called. The full‑table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet‑size check runs. This heap buffer overflow can corrupt arbitrary memory on the host, potentially allowing an attacker to execute malicious code or cause a denial of service. The vulnerability directly compromises the confidentiality, integrity, and availability of systems that run the affected kernel.

The flaw exists in the batman‑adv networking driver that is compiled into the Linux kernel. All kernel releases that include the vulnerable driver before the patch, including kernels from the Linux 3.13 series through the 7.0 release candidates, are potentially affected. The impact applies to any platform running those kernels with batman‑adv enabled, regardless of vendor. Users of newer releases that already include the patch are not impacted.

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% shows that the likelihood of exploitation in the wild is currently low, though possible. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants attention. The flaw can be triggered by an attacker who can inject crafted TT response packets into the network path of a batman‑adv node, suggesting a remote network attack vector. Exploitation requires the ability to send malformed traffic to a kernel running the vulnerable driver, and the affected systems are likely to be exposed in distributed, software‑defined networks where batman‑adv is used.