CVE-2026-46208
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel's batman-adv module, allowing tp_meter sessions to continue after the netlink request has finished. During the removal of the mesh interface, these sessions are not properly stopped, potentially leading to synchronization issues.
Risk Assessment
The organization may face unexpected system behavior as active tp_meter sessions attempt to process data during the shutdown of the mesh interface, which could result in data loss or network instability.
Recommendation
It is recommended to update the Linux kernel to a version that includes a fix for this vulnerability to ensure synchronization of tp_meter sessions with the mesh interface lifecycle.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.

