CVE-2026-46233: Linux Kernel Batman-adv Null Pointer Dereference Denial of Service
A flaw in the Linux kernel's Batman-adv bridge loop avoidance (BLA) subsystem can cause a crash when the system attempts to clean up stale network bridge claims. The issue occurs because the cleanup routine doesn't properly check whether a claim is still valid before trying to access it, potentially leading to a null pointer dereference. An attacker with local access could trigger this condition to cause a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46233 is a null pointer dereference vulnerability in batadv_bla_purge_claims() within the Linux kernel's batman-adv module. The function traverses a hash list of claims using only RCU read-side locking, but does not account for concurrent batadv_claim_put() operations that may release and free claims in parallel. When batadv_claim_release() sets backbone_gw to NULL before initiating the delayed RCU kfree, a subsequent call to batadv_bla_claim_get_backbone_gw() from the purge routine attempts to dereference a null pointer. The fix restricts purging to claims with valid reference counts, deferring the cleanup of already-released claims to their existing lifecycle management.
Business impact
For organizations running Linux systems with batman-adv enabled—particularly mesh networking deployments or network bridging configurations—this vulnerability introduces an availability risk. A local attacker can trigger kernel panics or system crashes by forcing claim cleanup operations, disrupting service availability. While not remotely exploitable, the impact is significant in environments where batman-adv is used for bridge loop prevention in multi-node mesh networks or in containerized environments where local privilege escalal could occur.
Affected systems
The Linux kernel is affected, specifically versions that include the batman-adv module with active BLA (bridge loop avoidance) functionality. Any system running batman-adv for network bridging or mesh networking is potentially vulnerable. This includes embedded systems, network appliances, and specialized routing/bridging deployments. Standard desktop and server deployments without batman-adv are not affected.
Exploitability
Exploitability requires local access and the ability to trigger RCU grace period conditions that expose the race condition between claim purging and claim release. An attacker needs to influence the timing of network topology changes or claim lifecycle events to reliably trigger the null pointer dereference. This is not a remote vulnerability, and the attack surface is limited to systems with batman-adv enabled and local user access. The CVSS score of 5.5 reflects the local-only nature and the requirement for precise race condition triggering.
Remediation
Apply kernel patches that add reference count validation to batadv_bla_purge_claims() to ensure only claims with valid references are purged. The vendor fix modifies the purge logic to skip claims that are already in the process of being released, preventing the null pointer dereference. System administrators should upgrade to the patched kernel version provided by their Linux distribution.
Patch guidance
Coordinate with your Linux vendor or distribution maintainer to obtain the patched kernel version. Verify against the official vendor advisory for your specific distribution (Red Hat, Ubuntu, Debian, SUSE, etc.) to identify the exact version that includes this fix. Batman-adv users should prioritize patching, particularly in production mesh networking environments. Standard practice involves scheduling a maintenance window for kernel updates, as this typically requires a system reboot.
Detection guidance
Monitor kernel logs for null pointer dereference panics or oops messages originating from batadv_bla_purge_claims() or related BLA functions. Systems may exhibit sudden crashes or resets when claim purging occurs during network topology transitions. In environments with persistent logging, correlate crashes with batman-adv claim activity. Post-compromise, forensic analysis of kernel crash dumps can confirm whether CVE-2026-46233 was the root cause, though the vulnerability itself does not leave persistent artifacts.
Why prioritize this
While the CVSS score is moderate (5.5), prioritization should reflect the specific deployment context. Organizations using batman-adv for critical mesh networking, bridge loop avoidance, or redundant network topologies should treat this as high priority due to availability impact. Organizations without batman-adv enabled can defer patching to standard update cycles. The local-only attack vector reduces urgency for systems with strict access controls, but the ease of triggering (once access is gained) warrants timely remediation in shared or multi-tenant environments.
Risk score, explained
The CVSS v3.1 score of 5.5 (MEDIUM) reflects: local-only attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). The moderate score accounts for the requirement of local access and the specific technical conditions needed to trigger the race condition, offset by the severe availability consequences when successfully exploited.
Frequently asked questions
Does this vulnerability affect systems without batman-adv enabled?
No. Batman-adv is an optional kernel module used for bridge loop avoidance and mesh networking. Systems without batman-adv compiled or loaded are not affected. Check your kernel configuration and running modules to determine if batman-adv is active.
Can this vulnerability be exploited remotely?
No, this is strictly a local vulnerability. An attacker must have local access to the system and the ability to trigger specific race conditions during network claim lifecycle operations. It cannot be exploited over the network.
What is the practical impact of the crash?
Exploitation causes a kernel panic or oops, resulting in system downtime. For systems where batman-adv manages network bridging, this can disrupt network availability until the system recovers or is rebooted. In mesh network topologies relying on batman-adv, node failure can impact overall network connectivity.
How do I know if batman-adv is running on my system?
Check for batman-adv in your kernel configuration (CONFIG_BATMAN_ADV in .config or /boot/config-*) and verify if the module is loaded using 'lsmod | grep batman' or 'ip link | grep bat'. If neither batman-adv nor mesh networking is part of your deployment, you are not affected.
This analysis is based on available vulnerability data as of the publication date. Exploit details, patch availability, and affected product versions should be verified directly with Linux vendors, distribution maintainers, and the official Linux kernel security advisories. SEC.co provides this intelligence for informational purposes to support security decision-making. Organizations should conduct their own risk assessment based on their specific batman-adv deployment status and local access controls. No liability is accepted for reliance on this analysis without independent verification. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference