CVE-2026-46233 - Vulnerability Details

- batman-adv: bla: only purge non-released claims

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bla: only purge non-released claims

When batadv_bla_purge_claims() goes through the list of claims, it is only
traversing the hash list with an rcu_read_lock(). Due to a potential
parallel batadv_claim_put(), it can happen that it encounters a claim which
was actually in the process of being released+freed by
batadv_claim_release(). In this case, backbone_gw is set to NULL before the
delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
then no longer allowed because it would cause a NULL-ptr derefence.

To avoid this, only claims with a valid reference counter must be purged.
All others are already taken care of.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Within the batman‑adv networking stack of the Linux kernel, the function that purges unused claims walks a hash list while holding an rcu_read_lock. During this traversal, a concurrent release of a claim can free its memory while it is still being examined; the code then attempts to dereference a backpointer that has been set to NULL. This fault causes a NULL‑pointer dereference in kernel space, leading to a kernel panic and system-wide denial of service. The weakness is a classic dereference of a null pointer (CWE‑476).

Affected Systems

All Linux kernel installations that include the batman‑adv module are affected, independent of distribution. The fix is incorporated in the mainline kernel through the series of commits referenced in the advisory; any kernel build that includes these patches will no longer process unreferenced claims incorrectly.

Risk and Exploitability

Based on the description, it is inferred that an attacker would need local or privileged access to the target system to trigger the crash by interacting with the batman‑adv module. No public exploit is known and the EPSS score is below 1%; the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation has not been observed. The reported CVSS score of 5.5 indicates a medium severity rating, but the kernel-level NULL dereference still signals a reasonably serious risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 6725c523a35eeca611ff37e7d4a8712fae92aefd
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< afb5436f6028fd68f408f189230fbaa19c910d72
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 7b8fbcee3184d848b5aee085ca16d0cf05c9b641
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< 7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< b65365d2b1e6095c538d49baeb140dd1c166c1b3
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d
`23721387c409087fd3b97e274f34d3ddc0970b74`	affected	< cf6b604011591865ae39ac82de8978c1120d17af

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.1:rc3::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[23721387c409087fd3b97e274f34d3ddc0970b74,7b8fbcee3184d848b5aee085ca16d0cf05c9b641)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,b65365d2b1e6095c538d49baeb140dd1c166c1b3)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d)`	affected	code_commit	—
`[23721387c409087fd3b97e274f34d3ddc0970b74,cf6b604011591865ae39ac82de8978c1120d17af)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.5`	affected	generic	—
`[0,3.5)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc4,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update from your distribution that includes the batman‑adv patch (commit 7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe).
If an immediate distribution update is not possible, rebuild the kernel with the relevant patch from the upstream source, ensuring the fix is applied.
As a temporary protection, unload or disable the batman‑adv module if it is not required for your networking configuration.

Generated by OpenCVE AI on June 10, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6725c523a35eeca611ff37e7d4a8712fae92aefd
https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe
https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641
https://git.kernel.org/stable/c/a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe
https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d
https://git.kernel.org/stable/c/afb5436f6028fd68f408f189230fbaa19c910d72
https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3
https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af
https://lore.kernel.org/linux-cve-announce/2026052840-CVE-2026-46233-1e33@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46233
https://www.cve.org/CVERecord?id=CVE-2026-46233

History

Wed, 10 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.1:rc3::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/6725c523a35eeca611ff37e7d4a8712fae92aefd https://git.kernel.org/stable/c/a9f58d5e3261f3deeae69ec1e237f38ef3ff5cbe https://git.kernel.org/stable/c/afb5436f6028fd68f408f189230fbaa19c910d72

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026052840-CVE-2026-46233-1e33@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46233 https://www.cve.org/CVERecord?id=CVE-2026-46233

Thu, 28 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.
Title		batman-adv: bla: only purge non-released claims
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641 https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3 https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:40:55.019Z

Updated: 2026-06-14T18:04:36.157Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46233

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.943

Modified: 2026-06-10T21:11:45.383

Link: CVE-2026-46233

Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46233 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object