CVE-2026-52934
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
In the Linux kernel's batman-adv module, a buffer overflow vulnerability was found in TVLV packet processing. The function calculating the TVLV container list size used u16 type, causing integer wrap-around when the total exceeds 65535 bytes, leading to undersized buffer allocation and out-of-bounds write.
Risk Assessment
An attacker can remotely send crafted TVLV packets, causing kernel memory corruption, potentially leading to system crash (DoS) or privilege escalation.
Recommendation
Immediately update the Linux kernel to a version containing the fix (change type to size_t and add size validation before allocation).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.

