CVE-2026-52916 - Vulnerability Details

- batman-adv: frag: disallow unicast fragment in fragment

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: frag: disallow unicast fragment in fragment

batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.

A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.

Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Batman‑adv, a MAC‑level virtual network overlay in the Linux kernel, has a flaw in its fragmentation logic that allows an attacker to embed a BATADV_UNICAST_FRAG packet inside the reassembled payload of another BATADV_UNICAST_FRAG packet. This matryoshka‑style nesting causes the kernel to recursively process the packet over and over until the kernel stack is exhausted, leading to a crash or reboot of the host and disruption of all network services.

Affected Systems

All Linux kernels that include the batman‑adv overlay module may be affected. No specific kernel versions were listed in the advisory; thus any kernel prior to the commit that removed this unbounded recursion can be vulnerable.

Risk and Exploitability

The defect requires an attacker to send crafted BATADV packets over the network, so a remote attacker with connectivity to the target host can trigger it. While no CVSS or EPSS score is available, the potential for a stack‑overflow denial of service makes the vulnerability high impact. It is not listed in the CISA KEV catalog, but should be addressed promptly to prevent service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 0c208fa3859e3a33a1c38bebc41d021166e94ac8
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< bcda4814dc6524283c0b958882cb963d75fe411d
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< aea54d0bbe156d5ab7d00d68f66149ff41f4612a
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< b54e459cf86943583c1aa2ee3081874e7ab1f5f3
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 5418be6c2e117bf8a316582795a8e3ff90f45e5d
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 5895ad21c7059a652da83fb817510f7a1e962abf
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 7138c35c9ad39a2fca6264af6b87466471f04ffc
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< bc62216dc8e221e3781afa14430f45208bfa9af9

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.142`	unaffected	≤ 6.6.*
`6.12.92`	unaffected	≤ 6.12.*
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,0c208fa3859e3a33a1c38bebc41d021166e94ac8)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,5418be6c2e117bf8a316582795a8e3ff90f45e5d)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,5895ad21c7059a652da83fb817510f7a1e962abf)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,7138c35c9ad39a2fca6264af6b87466471f04ffc)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,aea54d0bbe156d5ab7d00d68f66149ff41f4612a)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,b54e459cf86943583c1aa2ee3081874e7ab1f5f3)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,bc62216dc8e221e3781afa14430f45208bfa9af9)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,bcda4814dc6524283c0b958882cb963d75fe411d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.13`	affected	generic	—
`[0,3.13)`	unaffected	generic	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.142,6.7.0)`	unaffected	semver	—
`[6.12.92,6.13.0)`	unaffected	semver	—
`[6.18.34,6.19.0)`	unaffected	semver	—
`[7.0.11,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a Linux kernel version containing the batman‑adv fragmentation fix
If a kernel upgrade is not possible, disable the batman‑adv module or remove the overlay network configuration
Apply firewall or ACL rules to block or rate‑limit incoming BATADV_UNICAST_FRAG packets

Generated by OpenCVE AI on June 24, 2026 at 13:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8
https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d
https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf
https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc
https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a
https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3
https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9
https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d

History

Wed, 24 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-674

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.
Title		batman-adv: frag: disallow unicast fragment in fragment
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8 https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3 https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9 https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:13.221Z

Updated: 2026-06-24T07:14:13.221Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52916

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption
CWE-674
Uncontrolled Recursion

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object