Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tp_meter: avoid use of uninit sender vars

batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the
BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it
proceeds to read sender-only members that were never initialized, leading
to undefined behavior.

This can be triggered when a node that is currently acting as a receiver in
an ongoing tp_meter session receives a malicious ACK packet.

Guard against this by checking tp_vars->role immediately after the
lookup and bailing out if it is not BATADV_TP_SENDER, before any of
those members are accessed.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The batman-adv tp_meter module contains a flaw where receiving a malicious ACK packet while acting as a receiver causes the code to access sender-only members that were never initialized, leading to undefined behaviour. This can result in a crash, memory corruption, or other unintended effects; whether it allows code execution or privilege escalation is not confirmed in the CVE data and is inferred from the undefined behaviour.

Affected Systems

Any Linux system that runs a kernel containing the batman-adv subsystem and participates in a tp_meter session is potentially affected. No specific kernel release is disclosed, so all builds that include the unpatched code are vulnerable.

Risk and Exploitability

The CVSS score is 9.8. The EPSS score of the vulnerability is < 1%, indicating a very low exploitation probability and it is not listed in CISA KEV. It is a kernel-space flaw, indicating high potential impact. An attacker must send a crafted ACK packet over a tp_meter session, which requires either proximity on the mesh network or participation in a tp_meter session; this requirement is inferred from the attack path. Triggering the flaw causes undefined behaviour that could lead to a crash or memory corruption. Whether such corruption could be leveraged for privilege escalation or code execution is not established in the CVE data and is inferred from the undefined behaviour. The overall risk for environments using batman-adv without the patch remains high.

Generated by OpenCVE AI on June 28, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel release that includes the batman-adv patch referenced in the advisory commits.
  • If a patch is unavailable or a kernel upgrade cannot be performed immediately, disable the batman-adv tp_meter feature or isolate affected nodes until remediation.
  • After applying remediation, monitor system stability and network activity for signs of crashes, memory corruption, or anomalous ACK traffic.

Generated by OpenCVE AI on June 28, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: tp_meter: avoid use of uninit sender vars batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior. This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.
Title batman-adv: tp_meter: avoid use of uninit sender vars
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:51.143Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52931

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52931 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer