HIGH 8.8

CVE-2026-46198: Linux Kernel batman-adv Integer Overflow & Kernel Memory Disclosure (CVSS 8.8)

A flaw in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking) module allows an attacker on the network to trigger an integer overflow that leads to reading memory beyond intended bounds. The vulnerability stems from a type mismatch: a size validation uses a larger integer type (int) while the actual buffer position is stored in a smaller signed type (s16), creating a window where the validation passes but the buffer position can still exceed safe limits. An attacker with network access could exploit this to read sensitive kernel memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46198 is an integer overflow vulnerability in batadv_iv_ogm_send_to_if within the batman-adv kernel module. The root cause is a type inconsistency between the size check performed in batadv_iv_ogm_aggr_packet (which uses int) and the buff_pos variable (which uses s16, a signed 16-bit integer). When buff_pos is incremented during packet aggregation, it can overflow within its narrower type bounds while the int-based size check fails to catch it. This overflow allows the code to write to or read from memory outside the intended buffer, resulting in an out-of-bounds memory access. The vulnerability is reachable from network context, requiring only that the attacker be on the same network segment as the target.

Business impact

This vulnerability could allow an attacker to exfiltrate sensitive data from kernel memory, including cryptographic keys, network credentials, or other system secrets. In ad-hoc mesh networking deployments—common in IoT, emergency communications, or military scenarios—compromise of a single node's kernel memory could cascade to network-wide compromise. Even in standard deployments, kernel memory disclosure is a high-value target for privilege escalation chains and persistent access techniques.

Affected systems

The Linux kernel is affected. The vulnerability is present in the batman-adv module, which is compiled into many Linux distributions as either a built-in module or a loadable kernel module. Any system running a vulnerable kernel version with batman-adv enabled is at risk. This includes embedded systems, IoT devices, and standard Linux servers using batman-adv for mesh networking or ad-hoc connectivity.

Exploitability

The vulnerability requires network-adjacent access (AV:A in the CVSS vector), meaning the attacker must be on the same network segment or wireless range as the target. No authentication or user interaction is required. The attack can be triggered by crafting specific batman-adv protocol packets. The exploit is straightforward once network adjacency is achieved, making this a practical threat in environments where untrusted nodes may join the network or where radio range includes attacker-controlled equipment.

Remediation

Apply kernel patches that resolve the type mismatch by ensuring buff_pos validation uses consistent types, or by adding explicit bounds checks that account for the s16 range. Verify against the vendor advisory for exact patch versions available for your Linux distribution. Kernel updates addressing this issue should be applied to all systems running batman-adv, prioritizing network-facing or air-gapped mesh infrastructure first.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates that include the batman-adv integer overflow fix. Patches are typically released as part of regular kernel stable updates. Verify the exact patched versions against your vendor's advisory, as version numbers vary by distribution (Ubuntu, Debian, RHEL, etc.). Testing should focus on systems where batman-adv is actively used; if batman-adv is not needed, disabling the module eliminates the risk while patches are staged.

Detection guidance

Kernel logs may show messages related to out-of-bounds access attempts or memory faults if exploitation is attempted, though detection is not guaranteed. Network-based detection is challenging without signature patterns of the crafted batman-adv packets; focus on identifying which systems have batman-adv loaded via 'lsmod | grep batman' or kernel configuration checks. Host-based intrusion detection can monitor for unusual memory access patterns or crashes correlated with batman-adv module activity.

Why prioritize this

Despite the requirement for network adjacency, the CVSS score of 8.8 (HIGH) reflects the severity of kernel memory disclosure. The lack of KEV listing suggests this is a recent or lower-visibility threat, but the combination of easy exploitability (no auth, no user interaction, low complexity) and high impact (confidentiality, integrity, and availability all affected per the vector) warrants rapid patching, particularly for systems in mesh network deployments, IoT ecosystems, or environments where network boundaries are less strictly enforced.

Risk score, explained

The CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H vector yields a score of 8.8 (HIGH). The attack vector is Adjacent (AV:A), limiting exposure but not eliminating it. Attack Complexity is Low (AC:L) and no Privileges or User Interaction are required, making exploitation straightforward. All three impact dimensions—Confidentiality, Integrity, and Availability—are rated High, reflecting the severity of uncontrolled memory access. The Scope is Unchanged, meaning the impact is limited to the vulnerable component, though kernel memory disclosure threatens the entire system.

Frequently asked questions

Do I need batman-adv enabled? If not, am I safe from this vulnerability?

batman-adv is a mesh networking module primarily used in ad-hoc and IoT deployments. If your system does not use mesh networking, batman-adv is typically not loaded by default. You can verify with 'lsmod | grep batman' or check your kernel configuration. If the module is not loaded, you are not directly at risk from this specific vulnerability, though you should still patch if the module exists in your kernel image for defense-in-depth.

I'm not on a mesh network. Why does AV:A (network-adjacent) apply to me?

Network-adjacent means an attacker must be on the same network segment or wireless range. In typical enterprise networks, this could include other users on the same WiFi, coworkers on the same LAN segment, or compromised IoT devices nearby. Even isolated networks are at risk if unauthorized or compromised devices can join them.

Can this be exploited remotely over the internet?

No. The CVSS vector explicitly limits this to network-adjacent attackers (AV:A). Remote exploitation over the internet is not possible. However, in cloud environments or shared hosting, an attacker in a neighboring VM or container on the same physical host might be considered network-adjacent depending on the network topology.

What data could an attacker read from kernel memory?

An out-of-bounds read in kernel memory could expose cryptographic keys, session tokens, password hashes, network credentials, or other secrets resident in kernel buffers. The exact data depends on the kernel's memory layout and what happens to be adjacent to the batman-adv buffer in question. This is why kernel memory disclosure is considered a high-value target for attackers building multi-stage exploits.

This analysis is based on the CVE record and public kernel disclosures as of the publication date. Actual exploitability and patch availability vary by Linux distribution and kernel version. Organizations should verify patch availability and compatibility with their specific kernel versions against their vendor's official security advisory before deploying updates. This document does not constitute professional security advice; consult with your security team and vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).