CVE-2026-46198 - Vulnerability Details

- batman-adv: fix integer overflow on buff_pos

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix integer overflow on buff_pos

Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
buff_pos variable uses the s16 type. This could lead to an out-of-bound
read.

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow exists in the batman-adv networking subsystem, specifically within the batadv_iv_ogm_send_to_if function. The buffer position index uses a 16‑bit signed type, while the size check employs a 32‑bit signed type, allowing an out‑of‑bounds read of kernel memory. The effect is the exposure of privileged kernel data without crashing the operating system, representing a potential confidentiality breach.

Affected Systems

All Linux kernel releases that ship the batman‑adv module before the patch commit are vulnerable. The CNA lists the kernel as the affected product, but does not specify particular versions, so any kernel incorporating the unpatched batadv code is at risk.

Risk and Exploitability

The CVSS score is 8.8. The EPSS score is reported as less than 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of public exploitation at this time. However, the vulnerability allows an attacker to read arbitrary kernel memory which carries high impact if exploited. Based on the function involved, the likely attack vector is a crafted OGM packet received via the batman‑adv interface, though explicit exploitation evidence is not documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< 867cd090760e8f5cd206f387b47ff9c56fac04e9
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< 10bb1f366d884d506c38a947b43026a75d1afe9a
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< 96c9c0ed9a9579a9085765aceaa4556a6666eb82
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< f61499359fa529f0d45a53bf7c573a49eb6322e6
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< 974542d1efc48b7e9fe16184e647615cba39969b
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< bf872db54f91ffe70104b98c20068b2d5910e018
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< b252797bfced986d6d92ec2f4cfcca842ce8aa78
`c6c8fea29769d998d94fcec9b9f14d4b52b349d3`	affected	< 0799e5943611006b346b8813c7daf7dd5aa26bfd

Linux

affected

Version	Status	Constraints
`2.6.38`	affected	—
`0`	unaffected	< 2.6.38
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c6c8fea29769d998d94fcec9b9f14d4b52b349d3,f61499359fa529f0d45a53bf7c573a49eb6322e6)`	affected	code_commit	—
`[c6c8fea29769d998d94fcec9b9f14d4b52b349d3,974542d1efc48b7e9fe16184e647615cba39969b)`	affected	code_commit	—
`[c6c8fea29769d998d94fcec9b9f14d4b52b349d3,bf872db54f91ffe70104b98c20068b2d5910e018)`	affected	code_commit	—
`[c6c8fea29769d998d94fcec9b9f14d4b52b349d3,b252797bfced986d6d92ec2f4cfcca842ce8aa78)`	affected	code_commit	—
`[c6c8fea29769d998d94fcec9b9f14d4b52b349d3,0799e5943611006b346b8813c7daf7dd5aa26bfd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.38`	affected	semver	—
`[0,2.6.38)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc4,*)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the batman‑adv patch for the integer overflow
If an upgrade is not immediately possible, unload or disable the batman‑adv module to eliminate the vulnerable code path
Monitor network traffic for abnormal OGM packets and apply any available vendor backports or advisories before a full kernel update

Generated by OpenCVE AI on May 30, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00285.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd
https://git.kernel.org/stable/c/10bb1f366d884d506c38a947b43026a75d1afe9a
https://git.kernel.org/stable/c/867cd090760e8f5cd206f387b47ff9c56fac04e9
https://git.kernel.org/stable/c/96c9c0ed9a9579a9085765aceaa4556a6666eb82
https://git.kernel.org/stable/c/974542d1efc48b7e9fe16184e647615cba39969b
https://git.kernel.org/stable/c/b252797bfced986d6d92ec2f4cfcca842ce8aa78
https://git.kernel.org/stable/c/bf872db54f91ffe70104b98c20068b2d5910e018
https://git.kernel.org/stable/c/f61499359fa529f0d45a53bf7c573a49eb6322e6
https://lore.kernel.org/linux-cve-announce/2026052831-CVE-2026-46198-8c9b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46198
https://www.cve.org/CVERecord?id=CVE-2026-46198

History

Wed, 10 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc3::::::

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/10bb1f366d884d506c38a947b43026a75d1afe9a https://git.kernel.org/stable/c/867cd090760e8f5cd206f387b47ff9c56fac04e9 https://git.kernel.org/stable/c/96c9c0ed9a9579a9085765aceaa4556a6666eb82

Sat, 30 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 29 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-680

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
References		https://lore.kernel.org/linux-cve-announce/2026052831-CVE-2026-46198-8c9b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46198 https://www.cve.org/CVERecord?id=CVE-2026-46198

Thu, 28 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-680

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.
Title		batman-adv: fix integer overflow on buff_pos
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0799e5943611006b346b8813c7daf7dd5aa26bfd https://git.kernel.org/stable/c/974542d1efc48b7e9fe16184e647615cba39969b https://git.kernel.org/stable/c/b252797bfced986d6d92ec2f4cfcca842ce8aa78 https://git.kernel.org/stable/c/bf872db54f91ffe70104b98c20068b2d5910e018 https://git.kernel.org/stable/c/f61499359fa529f0d45a53bf7c573a49eb6322e6

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:14.558Z

Updated: 2026-06-14T18:02:03.705Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46198

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:35.460

Modified: 2026-06-10T17:09:27.437

Link: CVE-2026-46198

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46198 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-30T13:00:12Z

Weaknesses

CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object