CVE-2026-46208: Linux batman-adv TP Meter Race Condition During Mesh Teardown
A flaw in the Linux kernel's batman-adv mesh networking module can occur when the mesh interface is shut down. TP meter sessions—which measure link quality and throughput in mesh networks—may continue running even after the user's request has completed. When the mesh is torn down, these orphaned sessions can still be active, allowing incoming packets or sender threads to interact with a mesh instance that is already shutting down. This can lead to memory corruption, privilege escalation, or denial of service. The fix ensures that all active TP meter sessions are properly stopped and cleaned up before the mesh finishes shutting down.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-19
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The batman-adv module's TP meter (throughput measurement) implementation maintains active session state in bat_priv->tp_list that persists after the netlink request completes. When batadv_mesh_free() executes during mesh teardown, it does not drain these sessions before proceeding with mesh deallocation. A sender thread with pending operations or an incoming TP meter packet can then operate on freed or partially-freed mesh state, creating a use-after-free or race condition. The patch synchronizes TP meter lifecycle with mesh lifetime by explicitly stopping all active sessions during mesh free and blocking until sender threads have exited.
Business impact
For organizations running mesh networking deployments on Linux (edge computing, autonomous systems, sensor networks, military/tactical communications), this vulnerability poses a stability and confidentiality risk. Repeated mesh teardown cycles could trigger kernel crashes, data corruption, or privilege escalation from a local attacker. In production environments where mesh interfaces are dynamically reconfigured or where untrusted local users can trigger network resets, the impact escalates significantly. Affected systems may exhibit intermittent failures, corrupted routing state, or silent data loss.
Affected systems
Linux kernel versions that include the batman-adv mesh networking driver are affected. This is typically enabled in custom or embedded Linux builds, particularly those used in IoT, edge computing, drone systems, or tactical mesh networks. Standard desktop and server distributions may not enable batman-adv by default, reducing exposure in typical enterprise environments. Systems with CONFIG_BATMAN_ADV enabled are at risk.
Exploitability
Exploitation requires local access (AV:L) and user-level privileges (PR:L). An attacker cannot trigger this remotely, and must either be a logged-in user or have shell access to the target system. The attack does not require user interaction; simply removing the mesh interface while a TP meter session is active may trigger the race condition. The technical bar for exploitation is moderate—forcing the race condition reliably may require specific timing, but the underlying flaw is deterministic once triggered.
Remediation
Apply a kernel patch that drains all TP meter sessions during batadv_mesh_free() and synchronizes sender thread exit before continuing with mesh teardown. Verify the patch commit against the Linux kernel's batman-adv subsystem repository. Recompile and test the patched kernel in a non-production environment first, particularly if batman-adv is critical to your deployment. For systems where batman-adv is not required, disabling CONFIG_BATMAN_ADV eliminates the vulnerability entirely.
Patch guidance
Monitor the Linux kernel maintainers' updates for the batman-adv driver. Patches addressing this issue should be included in stable kernel releases following the initial upstream merge. Verify patch status in your distribution's kernel advisory pages (Red Hat, Canonical, SUSE, etc.). If you maintain a custom kernel build, cherry-pick the upstream batman-adv fix from Linus Torvalds' repository or the Linux stable tree. Test mesh interface creation, TP meter operation, and mesh teardown cycles before deploying to production.
Detection guidance
Monitor kernel logs (dmesg) for use-after-free warnings, NULL pointer dereferences, or 'BUG: unable to handle page fault' messages originating from batman-adv code paths during mesh teardown. Enable CONFIG_DEBUG_KMEMLEAK to detect memory leaks in batman-adv session structures. If mesh interface removal is followed by oops or soft lockup logs, the vulnerability may be triggering. Trace TP meter session lifecycle with ftrace or eBPF to detect sessions active during mesh_free() execution.
Why prioritize this
This vulnerability merits prompt patching in any environment where batman-adv is active. Although it requires local access, it can result in kernel crashes (denial of service) or privilege escalation, and the race condition is trivially triggered by normal mesh teardown operations. The CVSS 7.8 HIGH severity reflects the high impact (confidentiality, integrity, availability) despite local-only access. Organizations should prioritize kernel updates within 2–4 weeks, sooner if batman-adv is mission-critical.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: (1) high impact across confidentiality, integrity, and availability; (2) local attack vector, limiting scope but not eliminating risk in multi-user or edge environments; (3) low attack complexity, as normal mesh teardown can trigger the flaw; (4) low privileges required, accessible to any local user. The score is not critical because remote exploitation is impossible, but the combination of crash/corruption risk and ease of triggering warrants urgent remediation.
Frequently asked questions
Does this affect me if I run a standard Linux desktop or server?
Unlikely, unless you explicitly enabled batman-adv (CONFIG_BATMAN_ADV) in your kernel build. Most distributions ship with batman-adv disabled by default. Check your kernel config: grep CONFIG_BATMAN_ADV /boot/config-$(uname -r). If the output is 'n' or absent, you are not affected.
What is TP meter in batman-adv, and why does it matter?
TP meter measures throughput and link quality in mesh networks by sending probe packets and timing responses. It is used by mesh routing decisions to optimize paths. The vulnerability occurs when TP meter sessions are still processing packets after the mesh is torn down, potentially corrupting mesh state or causing crashes.
Can this be exploited remotely over the network?
No. The attack vector is local only (AV:L). An attacker must have shell or user-level access to the target system. Remote mesh nodes cannot trigger this vulnerability.
What kernel versions are affected?
Any kernel version with batman-adv enabled (CONFIG_BATMAN_ADV=y or =m) is potentially affected. Consult your distribution's security advisory or the upstream Linux kernel repository for the exact affected version range and patch availability.
This analysis is based on the CVE record and publicly available technical information as of the publication date. It does not constitute professional security advice. Organizations must validate all technical claims against their own infrastructure, verify patch availability with vendors and distributions, and conduct thorough testing before deploying patches to production. SEC.co and its analysts assume no liability for decisions or actions taken based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment