CVE-2026-52919 - Vulnerability Details

- batman-adv: fix tp_meter counter underflow during shutdown

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix tp_meter counter underflow during shutdown

batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.

Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.

Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.

[sven: added missing change in batadv_tp_send]

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A counter underflow occurs in the batman‑adv tap meter shutdown routine. The atomic counter is decremented unconditionally; if multiple shutdown paths are activated the counter can become negative. Because the sender logic interprets any non‑zero value as "still sending", a negative counter causes the sender kernel thread to loop indefinitely. When the underlying network interface is removed while the zombie thread remains active, a use‑after‑free occurs, potentially crashing the kernel and providing a denial‑of‑service vector. The weakness involves improper counter management and resource deallocation.

Affected Systems

All Linux kernel releases that include batman‑adv and employ the tp_meter implementation are affected. No specific version range is provided in the CVE entry, so the vulnerability applies to any kernel revision that has not yet integrated the fix contained in commits linked in the references.

Risk and Exploitability

The CVSS score is not listed, and the EPSS score is unavailable, making it difficult to quantify severity. The vulnerability is listed as not being in the CISA KEV catalog, suggesting it is not known to be actively exploited. However, a use‑after‑free in kernel code is a high‑impact flaw; exploitation would likely require local control over batman‑adv traffic or the ability to trigger multiple shutdown paths. Inferred from the description, the attack vector appears to be local or through manipulation of batman‑adv control packets. The risk remains significant for systems that run batman‑adv services without the patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< e75e2ab463b5b34df6b98f94d740aff327ce9f6b
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< abae88fa254f2981d39ac003a7b302528a22af64
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< c66d20a3ff095e3f000551d208ec2606616db15c
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< c1bac194733aabd731aafa6a01350c229e187dba
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< 01cefc5923889e29dbb5f281c3d457714ceb9c00
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< 90ae3eae06b7b8ab9f6250b9497c860915b4c17b
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< aeae11c5dad9cd0d50723890bdd866f8e6db2e7d
`33a3bb4a3345bb511f9c69c913da95d4693e2a4e`	affected	< 94f3b133168d1c49895e7cc6afbcf1cc0b354602

Linux

affected

Version	Status	Constraints
`4.8`	affected	—
`0`	unaffected	< 4.8
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.142`	unaffected	≤ 6.6.*
`6.12.92`	unaffected	≤ 6.12.*
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,e75e2ab463b5b34df6b98f94d740aff327ce9f6b)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,abae88fa254f2981d39ac003a7b302528a22af64)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,c66d20a3ff095e3f000551d208ec2606616db15c)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,c1bac194733aabd731aafa6a01350c229e187dba)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,01cefc5923889e29dbb5f281c3d457714ceb9c00)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,90ae3eae06b7b8ab9f6250b9497c860915b4c17b)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,aeae11c5dad9cd0d50723890bdd866f8e6db2e7d)`	affected	code_commit	—
`[33a3bb4a3345bb511f9c69c913da95d4693e2a4e,94f3b133168d1c49895e7cc6afbcf1cc0b354602)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.8`	affected	generic	—
`[0,4.8)`	unaffected	generic	—
`[5.10.258,5.10.*]`	unaffected	generic	—
`[5.15.209,5.15.*]`	unaffected	generic	—
`[6.1.175,6.1.*]`	unaffected	generic	—
`[6.6.142,6.6.*]`	unaffected	generic	—
`[6.12.92,6.12.*]`	unaffected	generic	—
`[6.18.34,6.18.*]`	unaffected	generic	—
`[7.0.11,7.0.*]`	unaffected	generic	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the batadv_tp_sender_shutdown fix (see the referenced commits).
If an immediate kernel upgrade is not possible, avoid shutting down batman‑adv interfaces until all senders have completed or disable the tp_meter feature if it is not required.
Monitor kernel logs for panic messages or indications of zombie sender threads and ensure that interface removal does not occur while a batman‑adv sender is active.

Generated by OpenCVE AI on June 24, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00
https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b
https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602
https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64
https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d
https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba
https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c
https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix tp_meter counter underflow during shutdown batadv_tp_sender_shutdown() unconditionally decrements the "sending" atomic counter. If multiple paths (e.g. timeout, user cancel, and normal finish) call this function, the counter can underflow to -1. Since the sender logic treats any non-zero value as "still sending", a negative value causes the sender kthread to loop indefinitely. This leads to a use-after-free when the interface is removed while the zombie thread is still active. Fix this by using atomic_xchg() to ensure the counter only transitions from 1 to 0 once. [sven: added missing change in batadv_tp_send]
Title		batman-adv: fix tp_meter counter underflow during shutdown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00 https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602 https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64 https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:15.201Z

Updated: 2026-06-24T07:14:15.201Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52919

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object