HIGH 8.8

CVE-2026-46212: Linux batman-adv Use-After-Free in BLA Claim Deletion

A use-after-free vulnerability exists in the Linux kernel's batman-adv module, specifically in the B.A.T.M.A.N. advanced mesh networking layer. When removing backbone claims from a network topology, the code attempts to free a claim object before it has finished using it, creating a window where the freed memory could be accessed or overwritten. This can lead to system crashes, data corruption, or privilege escalation in mesh-networked Linux systems running the affected code.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46212 is a use-after-free flaw (CWE-416) in batman-adv's bla (Bridge Loop Avoidance) subsystem. The function batadv_bla_del_backbone_claims() removes claims by dropping hash list entries, but the corresponding batadv_claim_put() reference count decrement was being performed before the final access to the claim object completed. If batadv_claim_release() executes during this window, the claim structure is deallocated while still being referenced by the hash list removal operation. This violates object lifetime safety and can corrupt kernel memory or trigger a panic.

Business impact

Systems relying on batman-adv for mesh networking—including edge devices, IoT deployments, and specialized Linux distributions supporting wireless mesh topologies—face potential availability and integrity risks. Depending on placement and privilege context, attackers on the mesh network could trigger kernel crashes, cause denial of service, or potentially escalate privileges. Organizations operating mesh networks or software-defined networking solutions using batman-adv should treat this as a high-priority stability and security issue.

Affected systems

The Linux kernel is affected across multiple versions where batman-adv is enabled. The vulnerability resides in the batman-adv kernel module used for mesh network routing. Systems specifically impacted are those with batman-adv compiled into the kernel or loaded as a module, particularly edge devices, wireless mesh deployments, and custom Linux distributions. Standard enterprise Linux systems without batman-adv enabled are not affected.

Exploitability

The vulnerability requires an attacker to be on the mesh network (AV:A per CVSS) but does not require privilege or user interaction. An attacker with network adjacency to a batman-adv mesh can trigger the race condition by timing backbone claim deletions, causing the use-after-free condition to manifest. The low complexity and no-privilege requirement (AC:L/PR:N) mean exploitation is practical once an attacker gains mesh network presence, though the exact reproducibility depends on kernel timing and memory layout.

Remediation

Apply the Linux kernel patch that reorders the claim reference drop to occur after all accesses to the claim object have completed. This typically involves moving the batadv_claim_put() call to the end of the batadv_bla_del_backbone_claims() function or restructuring the loop to avoid premature deallocation. Verify the specific patch version against the vendor advisory for your Linux distribution and kernel branch.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates addressing this vulnerability. If your system runs batman-adv (verify via `lsmod | grep batman` on deployed systems), prioritize applying kernel updates once available from your vendor. Backports to stable kernel branches and long-term support releases should be expected. Test patches in a non-production mesh environment first to ensure compatibility with your specific batman-adv topology and configuration.

Detection guidance

Monitor kernel logs for batman-adv related panics or oops messages, particularly those involving claim or backbone operations. Kernel Address Sanitizer (KASAN) builds will detect the use-after-free more reliably in development/test environments. For production systems, watch for unexpected kernel crashes or system hangs when batman-adv topology changes occur (nodes joining/leaving mesh). Intrusion detection systems should flag suspicious mesh network traffic patterns designed to trigger rapid claim churn.

Why prioritize this

With a CVSS 3.1 score of 8.8 (HIGH severity) and direct impact on kernel integrity via use-after-free, this vulnerability merits immediate attention for any organization using batman-adv in production. The network-adjacent attack vector limits exposure compared to remote code execution, but the high impact on confidentiality, integrity, and availability justifies rapid remediation once patches are available. Prioritize systems in security-sensitive mesh deployments (e.g., critical edge infrastructure).

Risk score, explained

The 8.8 CVSS score reflects high impact across all three security dimensions (C:H/I:H/A:H) balanced against the network-adjacent attack requirement (AV:A). The absence from CISA KEV indicates limited weaponized exploits at time of publication, but the technical simplicity of triggering a use-after-free race condition means exploit code development is straightforward once researchers have access to vulnerable systems. Organizations should not rely on KEV status as a deferral justification.

Frequently asked questions

Do I need to worry about this if I don't use batman-adv?

No. This vulnerability only affects systems with batman-adv explicitly enabled. Standard Linux systems running on wired networks or using conventional routing do not include batman-adv by default. Check your kernel configuration or run `lsmod | grep batman` to confirm.

Can this be exploited remotely, or only from the mesh network?

Only from the mesh network itself. The CVSS vector AV:A means the attacker must have network adjacency—they cannot exploit this from an external, unauthenticated position. However, once on the mesh, no further privilege or user interaction is needed.

What happens if this vulnerability is exploited?

An attacker could trigger a kernel panic or memory corruption, causing a system crash (denial of service). In some cases, memory corruption could potentially be chained into privilege escalation, though that depends on memory layout and attacker sophistication.

When will patches be available?

Patches typically roll out through your Linux distribution's kernel update cycle. Check your vendor's security advisories for timelines. Distributions with long-term support kernels usually back-port fixes within weeks of public disclosure.

This analysis is based on vulnerability disclosures and kernel source repositories as of the publication date. CVSS scores and severity ratings are provided by official sources and reflect conditions at time of release. Organizations must verify patch availability and compatibility with their specific Linux distribution and kernel version before deployment. This vulnerability requires network adjacency to the affected batman-adv mesh and does not affect systems without batman-adv enabled. For the most current patch status and distribution-specific guidance, consult your vendor's security advisory and kernel documentation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).