CVE-2026-46231: Linux batman-adv Memory Leak in Claim Hash Insertion
A flaw in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) networking module leaks memory when certain network claim operations fail. Specifically, when the system attempts to record a new claim in an internal hash table but the insertion fails, it forgets to release a reference to a network backbone object, causing that object to remain in memory indefinitely. This gradual accumulation of unreleased objects can eventually degrade system performance or trigger a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: put backbone reference on failed claim hash insert When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46231 is a resource leak vulnerability in the batman-adv Broadcast, Unknown, Directed (B.U.D.) Local Area Network (BLAN) module within the Linux kernel. The vulnerability exists in the batadv_bla_add_claim() function, which manages claim insertions into a hash table. When hash insertion fails—typically due to memory allocation failure or table exhaustion—the function returns an error without decrementing the reference count on the backbone_gw (backbone gateway) object. This omission violates reference-counting discipline and leaves the backbone_gw structure allocated in memory. The fix introduces a call to batadv_backbone_gw_put() on the error path to properly release the reference and allow garbage collection of the object.
Business impact
On systems that use batman-adv for mesh networking, this vulnerability creates a slow-burn denial of service vector. Repeated failed claim insertions accumulate leaked backbone gateway objects, consuming kernel memory over time. On memory-constrained devices—such as embedded systems, IoT gateways, or containerized environments—this can lead to eventual out-of-memory conditions, system crashes, or service interruptions. For organizations deploying batman-adv in mesh networks or wireless mesh backhauls, the vulnerability increases operational risk and may require unplanned reboots or service restarts to recover from accumulated memory exhaustion.
Affected systems
The vulnerability affects Linux kernels that include the batman-adv module. Affected versions are those shipped before the fix was applied; the exact range depends on kernel release cycles and distribution backporting practices. Batman-adv is used in specialized mesh networking deployments, including some IoT platforms, wireless mesh networks, and ad-hoc networking scenarios. Standard server and desktop Linux distributions ship the module but may not actively use it unless explicitly configured for mesh networking. Systems should verify their kernel version and batman-adv enablement status against vendor advisories.
Exploitability
Exploitation requires local access and the ability to trigger repeated failed claim hash insertions within batman-adv. This is not a remote code execution vulnerability and does not grant elevated privileges. An unprivileged local user or application operating within a batman-adv mesh network could potentially trigger the leak through malformed network traffic or by exhausting hash table capacity. However, practical exploitation is constrained by the need to repeatedly trigger failure conditions. The CVSS score of 5.5 (Medium) reflects local-only access requirements and availability impact (memory exhaustion) rather than confidentiality or integrity breaches.
Remediation
Apply a kernel update that includes the fix to batadv_bla_add_claim(). The patch adds an explicit batadv_backbone_gw_put() call in the error path to release the backbone gateway reference on failed hash insertion. Organizations should coordinate with their Linux distribution vendor to obtain a patched kernel version that addresses this issue. For systems unable to update immediately, disabling batman-adv if not actively used eliminates exposure; however, this is impractical for systems that depend on mesh networking.
Patch guidance
Consult your Linux distribution's security advisory for the availability and version number of patched kernels. Ubuntu, Debian, Red Hat, SUSE, and other major distributions will release kernel updates addressing this vulnerability in their respective cadences. Apply updates to your kernel package and reboot systems running batman-adv. Verify the fix by confirming the presence of the batadv_backbone_gw_put() error-path call in your kernel source or by checking the kernel's changelog against the CVE identifier. Test in a non-production environment first to confirm compatibility with local mesh networking configurations.
Detection guidance
Monitor kernel memory usage trends on systems running batman-adv, particularly on memory-constrained devices. Watch for sustained increases in kernel memory (kmem) or unreclaimable memory that correlate with batman-adv activity. Enable kernel memory accounting and auditing to track backbone_gw object allocations and deallocations. Use tools such as kmemleak or systemtap to detect unreleased reference counts on batman-adv structures. Log batman-adv module statistics and watch for anomalies in claim table insertions or failures. Implement alerts for out-of-memory conditions or kernel panic events on affected systems.
Why prioritize this
Although the CVSS score is Medium (5.5), prioritization depends on deployment context. Systems actively using batman-adv for critical mesh networking should prioritize patching to avoid cumulative memory exhaustion and service degradation. Embedded and IoT deployments with limited memory are at higher risk from this leak. Standard Linux servers and desktops with batman-adv disabled or unused can deprioritize but should still apply updates during routine maintenance cycles. Organizations operating mesh networks should treat this as moderate-to-high priority within their own infrastructure.
Risk score, explained
The CVSS 3.1 score of 5.5 (Medium) reflects: Attack Vector Local (cannot be exploited remotely), Attack Complexity Low (no unusual conditions required), Privileges Required Low (any local user can trigger repeated network operations), User Interaction None (no user action needed), Scope Unchanged (impact confined to the affected system), Confidentiality None (no secrets exposed), Integrity None (no data corrupted), Availability High (memory exhaustion can crash or degrade the system). The Medium severity appropriately captures that this is a local denial-of-service vector with no remote or privilege-escalation component, but poses real risk to availability on affected deployments.
Frequently asked questions
Does this vulnerability allow remote code execution or privilege escalation?
No. CVE-2026-46231 is a local resource leak vulnerability. It does not provide remote access, does not allow unprivileged users to escalate to root, and does not enable code execution. The only impact is memory exhaustion on systems running batman-adv.
Which Linux systems are affected?
Systems running Linux kernels with batman-adv enabled or compiled in are potentially affected. This includes some IoT devices, mesh network appliances, and specialized networking deployments. Standard desktops and servers typically have batman-adv available but not active unless explicitly configured. Check your kernel configuration with 'grep CONFIG_BATMAN_ADV /boot/config-$(uname -r)' to determine if batman-adv is present.
What happens if I do not patch this vulnerability?
On systems actively using batman-adv, repeated network operations that fail to insert claims will gradually leak kernel memory. Over hours, days, or weeks—depending on traffic and hash table behavior—leaked objects accumulate, consuming available kernel memory. This eventually triggers out-of-memory conditions, reduced system performance, or kernel panics. Systems not using batman-adv are unaffected even if the module is present.
Can I mitigate this without patching?
If batman-adv is not essential to your operations, disabling it eliminates exposure. You can blacklist the module or rebuild your kernel without batman-adv support. However, systems that depend on mesh networking cannot mitigate without patching. Monitoring kernel memory trends and setting aggressive swap/memory limits may delay symptoms but does not address the root leak.
This analysis is provided for informational purposes by SEC.co and does not constitute legal, technical, or professional advice. Patch version numbers, vendor advisories, and specific affected product versions must be verified against official Linux distribution security bulletins and the Linux kernel CVE tracker before deployment. Organizations should conduct testing in non-production environments and follow their internal change management procedures. The vulnerability does not appear in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but exploitability may change over time. Refer to your distribution's security team and the upstream Linux kernel maintainers for the most current information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure