Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix tp_meter counter underflow during shutdown

batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.

Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.

Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.

[sven: added missing change in batadv_tp_send]
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A counter underflow occurs in the batman‑adv tap meter shutdown routine. The atomic counter is decremented unconditionally; if multiple shutdown paths are activated the counter can become negative. Because the sender logic interprets any non‑zero value as "still sending", a negative counter causes the sender kernel thread to loop indefinitely. When the underlying network interface is removed while the zombie thread remains active, a use‑after‑free occurs, potentially crashing the kernel and providing a denial‑of‑service vector. The weakness involves integer underflow (CWE‑191).

Affected Systems

The vulnerability affects Linux kernel installations that include the batman‑adv module with the tp_meter feature. All releases of the Linux kernel that have not integrated the fix contained in the referenced commits are potentially vulnerable. No specific version range is provided, so any kernel revision lacking the update may be impacted.

Risk and Exploitability

The EPSS score is < 1%, indicating a very low probability of exploitation while still making it difficult to quantify overall severity. The CVSS score is 7.8, reflecting a moderate to high impact. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not known to be actively exploited. However, a use‑after‑free in kernel code is a high‑impact flaw; exploitation would likely require local control over batman‑adv traffic or the ability to trigger multiple shutdown paths. The risk remains significant for systems that run batman‑adv services without the patch.

Generated by OpenCVE AI on June 28, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the batadv_tp_sender_shutdown fix (see the referenced commits).
  • If an immediate kernel upgrade is not possible, avoid shutting down batman‑adv interfaces until all senders have completed or disable the tp_meter feature if it is not required.
  • Monitor kernel logs for panic messages or indications of zombie sender threads and ensure that interface removal does not occur while a batman‑adv sender is active.

Generated by OpenCVE AI on June 28, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix tp_meter counter underflow during shutdown batadv_tp_sender_shutdown() unconditionally decrements the "sending" atomic counter. If multiple paths (e.g. timeout, user cancel, and normal finish) call this function, the counter can underflow to -1. Since the sender logic treats any non-zero value as "still sending", a negative value causes the sender kthread to loop indefinitely. This leads to a use-after-free when the interface is removed while the zombie thread is still active. Fix this by using atomic_xchg() to ensure the counter only transitions from 1 to 0 once. [sven: added missing change in batadv_tp_send]
Title batman-adv: fix tp_meter counter underflow during shutdown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:40.590Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52919

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52919 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)