CVE Catalog

CVE-2026-52934

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

In the Linux kernel's batman-adv module, a buffer overflow vulnerability was found in TVLV packet processing. The function calculating the TVLV container list size used u16 type, causing integer wrap-around when the total exceeds 65535 bytes, leading to undersized buffer allocation and out-of-bounds write.

Risk Assessment

An attacker can remotely send crafted TVLV packets, causing kernel memory corruption, potentially leading to system crash (DoS) or privilege escalation.

Recommendation

Immediately update the Linux kernel to a version containing the fix (change type to size_t and add size validation before allocation).

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS