CVE-2026-46233
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel within the batman-adv module, specifically in the batadv_bla_purge_claims() function. The issue arises when the function encounters a claim that is in the process of being released, leading to a NULL pointer dereference.
Risk Assessment
Exploitation of this vulnerability could allow an attacker to cause system crashes or unauthorized memory access, potentially leading to severe consequences for system stability and security.
Recommendation
It is recommended to update the Linux kernel to the latest version that includes fixes for this vulnerability to ensure that only claims with a valid reference counter are purged.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.

