CVE-2026-46212 - Vulnerability Details

- batman-adv: bla: prevent use-after-free when deleting claims

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bla: prevent use-after-free when deleting claims

When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
does this by dropping the link entry in the hash list. This list entry
itself was one of the references which need to be dropped at the same time
via batadv_claim_put().

But the batadv_claim_put() must not be done before the last access to the
claim object in this function. Otherwise the claim might be freed already
by the batadv_claim_release() function before the list entry was dropped.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free vulnerability exists within the batman‑adv driver of the Linux kernel. The flaw arises when the batadv_bla_del_backbone_claims() routine removes a backbone claim and deletes its hash‑list entry before the associated claim object has had all its references released. If the object is freed prematurely, subsequent accesses to that memory may cause a kernel crash, data corruption, or other erratic behaviour. No evidence in the advisory suggests privilege escalation, only kernel stability issues.

Affected Systems

The issue is confined to Linux kernel implementations that include the batman‑adv networking module with the pre‑patch version of batadv_bla_del_backbone_claims(). All affected kernels that have this function compiled in are susceptible. Systems that enable the batman‑adv driver or use the module for network claim handling are at risk. No explicit version range is provided, so any kernel version before the patch should be considered vulnerable.

Risk and Exploitability

The CVSS score is not supplied in the data, and the EPSS score of <1% indicates a very low, but non‑zero, likelihood of exploitation. The vulnerability is a local kernel‑level use‑after‑free. An attacker with local or remote access to a host that processes batman‑adv traffic could in theory trigger the faulty clean‑up path. Because the flaw does not involve credential validation or input parsing directly, it is inferred that a privileged or otherwise compromised process would be required to exercise the dangerous code path. The fault is not currently listed in CISA’s KEV catalog, suggesting no active exploitation reports presently.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 368449e467d5f1e2c2e987bf2bd57000ba75e10b
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 0cc9847c64cb6e61118bc78c9187c8209a7197fa
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 4ae1709a314060a196981b344610d023ea841e57

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1-rc4`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[23721387c409087fd3b97e274f34d3ddc0970b74,368449e467d5f1e2c2e987bf2bd57000ba75e10b)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,0cc9847c64cb6e61118bc78c9187c8209a7197fa)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,4ae1709a314060a196981b344610d023ea841e57)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.5`	affected	generic	—
`[0,3.5)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the batadv_bla_del_backbone_claims() fix.
If an update cannot be applied promptly, disable the batman‑adv driver or avoid network situations that initiate backbone claim deletion, effectively preventing the vulnerable code from executing.
Deploy kernel hardening measures such as enabling CONFIG_KASAN, kernel lockdown, SELinux enforcing mode, and consistent page‑protection. Monitor startup logs and dmesg for kernel panics or crash messages that could indicate an exploitation attempt.

Generated by OpenCVE AI on May 29, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401
https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa
https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b
https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57
https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472
https://lore.kernel.org/linux-cve-announce/2026052835-CVE-2026-46212-2bca@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46212
https://www.cve.org/CVERecord?id=CVE-2026-46212

History

Fri, 29 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026052835-CVE-2026-46212-2bca@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46212 https://www.cve.org/CVERecord?id=CVE-2026-46212

Thu, 28 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.
Title		batman-adv: bla: prevent use-after-free when deleting claims
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401 https://git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fa https://git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10b https://git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57 https://git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:29.712Z

Updated: 2026-05-28T09:40:29.712Z

Reserved: 2026-05-13T15:03:33.105Z

Link: CVE-2026-46212

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:36.853

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46212

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46212 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T05:00:07Z

Weaknesses

CWE-364

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object