Description
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.

The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A wrap‑around bug in batman‑adv’s TVLV packet builder can cause the kernel to allocate a buffer that is smaller than required. When the data is copied, bytes write beyond the end of the allocated area, corrupting kernel memory. This corruption can lead to kernel crashes or, in a more capable attacker scenario, arbitrary code execution with kernel privileges. The flaw is a classic integer‑overflow to buffer‑overflow issue. The description explicitly states a memory corruption outcome without naming a specific exploit or a denial‑of‑service effect, but the nature of the bug suggests the potential for privilege escalation if an attacker can craft a packet to reach the vulnerable code.

Affected Systems

All Linux kernel installations that include the batman‑adv networking module are impacted. No specific kernel or module version is listed; the bug exists wherever the current batman‑adv code path is compiled into the system.

Risk and Exploitability

The EPSS score is less than 1%, and the CVSS score is 8.8, indicating high severity. KEV is not listed. Based on the description, an attacker can trigger the vulnerability by sending oversized TVLV packets from another node in a batman‑adv mesh network. The likely attack vector is a malicious peer within the mesh. An attacker with network access to the mesh can construct such packets, potentially causing a memory corruption that could be leveraged for privilege escalation or a denial‑of‑service if the kernel crashes. The absence of a KEV listing suggests it has not been observed in the wild yet, but the severity of the underlying flaw warrants prompt attention.

Generated by OpenCVE AI on June 28, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the batman‑adv patch which widens the size calculation to size_t and adds a bounds check before allocation.
  • If an immediate kernel upgrade is not possible, apply the batman‑adv source patch, rebuild, and reinstall the module.
  • If batman‑adv is not required for the deployment, unload or disable the module to eliminate the attack surface.
  • Implement network segmentation or firewall rules to restrict exposure of batman‑adv endpoints to trusted peers only, reducing the chance that an untrusted host can send malformed packets.

Generated by OpenCVE AI on June 28, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
Title batman-adv: tvlv: reject oversized TVLV packets
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:55.538Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52934

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52934 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound