Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: stop caching unowned originator pointers in BAT IV

BAT IV keeps the last-hop neighbor address in each neigh_node, but some
paths also cache an originator pointer derived from a temporary lookup.
That pointer is not owned by the neigh_node and may no longer refer to a
live originator entry after purge handling runs.

Stop storing the auxiliary originator pointer in the BAT IV neighbor
state. When BAT IV needs the neighbor originator data, resolve it from
the stored neighbor address and drop the reference again after use.

[sven: avoid bonding logic for outgoing OGM]
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

batman‑adv, a network mesh driver in the Linux kernel, mistakenly cached an unowned originator pointer within the BAT IV neighbor state. When the neighbor table was purged, this pointer could refer to memory that had already been freed or repurposed. An attacker who can influence batman‑adv traffic in a way that causes the stale pointer to be dereferenced may trigger kernel memory corruption. Because the corruption occurs in privileged kernel space, exploitation could potentially lead to arbitrary code execution with full system privileges. The flaw involves an improper memory management pattern (CWE‑825).

Affected Systems

All Linux kernel versions that include the unpatched batman‑adv implementation are affected, as the issue exists before the patch that removes the auxiliary originator pointer from the neighbor state. The vulnerability is specific to the batman‑adv kernel module and does not affect user‑space applications. No exact kernel release numbers are listed, so all kernels from the first introduction of batman‑adv up to the latest stable release before the hotfix are potentially impacted.

Risk and Exploitability

The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Theoretical severity is high, as reflected by a CVSS score of 8.8, insofar as the bug permits kernel memory corruption that might enable privilege escalation, but evidence of a working exploit is lacking. The attack vector, inferred from the description, involves crafting network packets that the batman‑adv driver processes, typically bound to local or untrusted network interfaces; thus the vulnerability requires local or network‑level access to trigger. No publicly available exploits have been found, so the risk remains primarily theoretical until proof‑of‑concept code appears.

Generated by OpenCVE AI on June 10, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch removing the unowned originator pointer from the batman‑adv neighbor state; if the patch is only in the source tree, rebuild the kernel or apply the specific commit to the existing kernel.
  • If an immediate kernel upgrade is not feasible, disable the batman‑adv module or the BAT IV functionality on hosts that do not require mesh networking, thereby preventing the use of the vulnerable code path.
  • Monitor kernel logs for signs of invalid pointer dereferences or crashes in batman‑adv, and keep the system under a configuration management system that enforces timely application of security updates.

Generated by OpenCVE AI on June 10, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 29 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM]
Title batman-adv: stop caching unowned originator pointers in BAT IV
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:04:55.937Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:39.427

Modified: 2026-06-10T21:06:10.690

Link: CVE-2026-46238

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses