Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix fragment reassembly length accounting

batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.

That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.

Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.

The fix was verified against the original reproducer and against valid
fragment reassembly paths.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the batman-adv module of the Linux kernel. A flaw in how accumulated fragment lengths are tracked allows an attacker to feed a malformed fragment chain that overflows the length counter. This permits the attacker to bypass the module’s validation logic and trigger reassembly with an inconsistent length state, resulting in a local denial of service. The weakness is an integer overflow that subverts integrity checks during packet reassembly.

Affected Systems

All Linux kernel installations that include the batman-adv networking module before the referenced fix. Exact kernel versions are not listed, but any kernel that shipped batman-adv in its buggy form is potentially affected.

Risk and Exploitability

The attack vector is local; a user or process with access to the batman-adv interface can send crafted data to trigger the overflow. The exploitation does not provide direct escalation or data exfiltration, but it can crash the module and disrupt network connectivity. The EPSS score is < 1% (indicating a low likelihood of exploitation), and the vulnerability is not listed in CISA KEV, indicating it is currently unreported in the known exploited vulnerabilities catalog. The CVSS score of 9.8 indicates a critical severity.

Generated by OpenCVE AI on June 28, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel or batman-adv module to a release that includes the commit addressing the length accounting bug (e.g., version after commit 37be61825b15534a16ff9cfc9546de155b6df982).
  • If the system does not need the batman-adv feature, unload or disable the module to eliminate the attack surface.
  • Restrict access to the batman-adv interface so that only privileged users can use it, and apply firewall rules to block untrusted fragment traffic that may trigger the vulnerability.

Generated by OpenCVE AI on June 28, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix fragment reassembly length accounting batman-adv keeps a running payload length for queued fragments and uses it to validate a fragment chain before reassembly. That accounting currently allows the accumulated fragment length to be truncated during updates. As a result, malformed fragment chains can bypass the intended validation and drive reassembly with inconsistent length state, leading to a local denial of service. Fix the accounting by storing the accumulated length in a length-typed field and rejecting update overflows before the existing validation logic runs. The fix was verified against the original reproducer and against valid fragment reassembly paths.
Title batman-adv: fix fragment reassembly length accounting
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:31.785Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52914

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52914 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency