HIGH 7.8

CVE-2026-46206: Linux batman-adv Kernel Privilege Escalation via Improper State Validation

CVE-2026-46206 is a vulnerability in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking) module that allows improper state transitions during network teardown. The issue occurs when the tp_meter (throughput meter) component fails to block new measurement sessions after the mesh network has begun shutting down. An attacker with local access can exploit this race condition to initiate sender or receiver sessions on a network that is no longer in an active state, potentially causing privilege escalation or system instability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in batman-adv's tp_meter implementation, which lacks proper state validation when transitioning away from BATADV_MESH_ACTIVE. The tp_meter protocol is responsible for measuring link throughput in mesh networks, but the code does not adequately reject new session requests after mesh teardown has begun. This allows a local, unprivileged user to trigger tp_meter session initialization on a mesh interface in a shutdown or transitional state. The lack of input validation combined with the local execution context creates a window for privilege escalation or denial-of-service conditions. The fix implements state checking to ensure tp_meter sessions cannot be initiated once the mesh enters a non-active state.

Business impact

Organizations running Linux-based mesh networking infrastructure, edge computing platforms, or IoT deployments that rely on batman-adv face moderate operational risk. The vulnerability enables local privilege escalation and potential system compromise by unprivileged users. For mesh networks used in industrial control systems, critical infrastructure, or security-sensitive environments, this could facilitate lateral movement or persistence. The impact is localized to systems with batman-adv loaded and mesh interfaces active, but systems in such deployments warrant expedited remediation to prevent exploitation during maintenance windows or network reconfigurations.

Affected systems

The Linux kernel is affected, specifically installations with the batman-adv module enabled and mesh networking interfaces configured. This includes edge routers, mesh network nodes, wireless mesh deployments, and any Linux-based systems running batman-adv. The vulnerability requires local access, so it affects systems with local user accounts or where unprivileged processes can interact with mesh network configuration. Desktop Linux systems running batman-adv for research or hobby mesh projects are also technically vulnerable but represent lower operational risk than production infrastructure.

Exploitability

Exploitability is moderate. The attack requires local access to the system (AV:L) and no special privileges beyond a standard local user account (PR:L), making it accessible to any authenticated user. No user interaction is required (UI:N). However, successful exploitation depends on precise timing during mesh state transitions—specifically during the window when mesh_state leaves BATADV_MESH_ACTIVE but before the tp_meter mechanism fully closes. This narrow race condition reduces real-world exploitability compared to the CVSS score alone suggests. Public exploit code is not known to be in circulation, and the vulnerability has not been added to the CISA KEV catalog.

Remediation

Apply a Linux kernel update that includes the batman-adv tp_meter state validation patch. Verify the patch against the official Linux kernel security advisory and your distribution's update channels. For organizations unable to patch immediately, mitigate by restricting local access to systems running batman-adv, disabling mesh networking interfaces if not actively required, or isolating affected systems from untrusted local networks. Monitor system logs for unusual tp_meter session initialization attempts.

Patch guidance

Check your Linux distribution's security advisories and kernel update channels for the patched kernel version addressing CVE-2026-46206. Kernel versions released after the patch date (verify against the vendor advisory) include the corrected tp_meter state checking logic. Test patched kernels in a staging environment before production deployment, especially if batman-adv is critical to your network topology. Reboot systems after applying the kernel update to activate the fix. If your distribution provides stable backports, prefer those over major version jumps to minimize compatibility risk.

Detection guidance

Monitor system logs for tp_meter session initialization (via netlink events or kernel logs) occurring during mesh state transitions or shutdown sequences. Check for unexpected tp_meter sender or receiver sessions initiated by unprivileged users. On systems with batman-adv loaded, periodically verify mesh state and interface status using `batctl` or equivalent tools to detect abnormal teardown behavior. Enable kernel audit logging (if your security posture requires it) to capture local process interactions with batman-adv control interfaces. Watch for repeated tp_meter errors or crashes during network reconfigurations.

Why prioritize this

This vulnerability merits HIGH priority patching despite not yet appearing in CISA's KEV catalog. The CVSS 7.8 score reflects local privilege escalation potential, which is material for any Linux system with local users. Organizations running batman-adv in production mesh networks—particularly in unattended edge or infrastructure contexts—should prioritize this patch. The vulnerability affects kernel-level networking functionality, making it systemic once introduced. However, the local-access requirement and race-condition-dependent exploitation window mean this is not an emergency-response priority equivalent to remote code execution vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) is driven by the high confidentiality, integrity, and availability impact (C:H/I:H/A:H) combined with local attack vector and low privilege requirements. The scoring reflects that a local attacker can achieve privilege escalation or cause system instability. The low attack complexity (AC:L) indicates the underlying flaw is straightforward to trigger once local access is obtained. Notably, the attack is not trivial due to the race condition nature of the bug, which is not fully captured in CVSS and argues for slightly lower practical risk than the score suggests.

Frequently asked questions

What is batman-adv and why is it in the Linux kernel?

Batman-adv (Better Approach To Mobile Ad-hoc Networking) is a kernel-level mesh networking module that enables dynamic, multi-hop routing for wireless mesh networks. It's used in edge computing, IoT, wireless community networks, and disaster-response infrastructure where traditional centralized routing is impractical. It's part of the mainline Linux kernel as a loadable module.

Do I need to worry about this if I don't use mesh networking?

Only if your Linux system has batman-adv module loaded. Most standard desktop and server distributions do not load it by default. Check by running `lsmod | grep batman` (Linux). If nothing appears, batman-adv is not active and this vulnerability does not affect you. If you do not use mesh networking features, disabling the module further reduces risk.

Can this vulnerability be exploited over the network or only locally?

Only locally. The attacker must have a user account or process execution context on the affected Linux system itself. This is not a remote code execution vulnerability. It does increase risk for systems with untrusted local users or for edge devices where physical access or local account compromise is plausible.

What is tp_meter and why does it need state validation?

Tp_meter is batman-adv's throughput measurement utility for testing link quality in mesh networks. It initiates sender and receiver sessions to measure bandwidth and latency. The vulnerability is that these sessions were not being rejected when the mesh network was shutting down (leaving BATADV_MESH_ACTIVE state), allowing improper resource allocation and state corruption. The fix ensures cleanup and prevents orphaned sessions.

This analysis is provided for informational purposes by SEC.co and should not be construed as legal advice or a substitute for professional security assessment. CVE-2026-46206 details, CVSS scores, affected products, and patch availability are based on public vulnerability databases and vendor advisories current as of the publication date. Verify patch version numbers and availability directly against your distribution's security advisories before applying updates. SEC.co does not provide exploit code or weaponized proof-of-concept materials. Organizations should conduct their own risk assessment based on their specific infrastructure and threat model. For questions about this vulnerability's applicability to your environment, consult your system administrator or security team. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).