CVE-2026-46238: Linux Kernel B.A.T.M.A.N. Use-After-Free Vulnerability – CVSS 8.8 HIGH
A memory management flaw in the Linux kernel's B.A.T.M.A.N. (Better Approach To Mobile Ad-hoc Networking) advanced routing implementation allows an attacker on the local network to crash the system or potentially execute code with high privileges. The vulnerability stems from the protocol caching a pointer to routing data that can become invalid after the system cleans up stale entries, leading to use-after-free conditions when that stale pointer is later accessed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM]
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46238 is a use-after-free vulnerability in the B.A.T.M.A.N. IV routing daemon within the Linux kernel. The BAT IV implementation stores an originator pointer in neighbor node structures derived from a temporary lookup operation. This pointer is not properly owned or reference-counted by the neighbor node, making it vulnerable to invalidation during purge cycles. When the routing logic later attempts to use this cached originator pointer without validation, it may reference freed memory. The fix resolves the issue by eliminating the auxiliary pointer cache and instead performing on-demand lookups from the stored neighbor address, ensuring the pointer lifecycle is properly managed.
Business impact
Systems running mesh networking deployments—particularly edge devices, IoT gateways, or community network infrastructure using B.A.T.M.A.N. routing—face denial-of-service and potential remote code execution risks from local network attackers. Affected organizations should assess whether their infrastructure relies on kernel-level B.A.T.M.A.N. routing and prioritize patching accordingly. The local attack vector limits exposure in typical data center environments but poses material risk in wireless mesh, edge computing, and distributed network topologies.
Affected systems
Linux kernel versions incorporating the vulnerable B.A.T.M.A.N. IV routing module are affected. The vulnerability is present in systems where B.A.T.M.A.N. advanced networking is compiled into or loaded as a module. Verify your kernel version and B.A.T.M.A.N. configuration by checking kernel logs and network module status; consult your Linux distribution's advisory for specific affected version ranges and patch availability.
Exploitability
The vulnerability requires network-adjacent access (AV:A) and no special privileges or user interaction. An attacker positioned on the same local network segment can craft malicious routing traffic to trigger the use-after-free condition. While the attack surface is restricted to local networks, the ease of exploitation (low complexity, no authentication required) and the severity of potential impact (confidentiality, integrity, availability all compromised) make this a practical threat within mesh networking environments.
Remediation
Apply the kernel patch that removes the unowned originator pointer cache and replaces it with on-demand lookups from neighbor addresses. Linux distributions will release kernel updates addressing this issue; obtain patches through your distribution's security advisory channels. Verify patch application by confirming kernel version and rebuilding any custom kernel configurations that include B.A.T.M.A.N. support.
Patch guidance
Monitor your Linux distribution's security advisories for kernel updates that address CVE-2026-46238. Once available, prioritize patching for systems actively running B.A.T.M.A.N. mesh networking. Test patches in non-production environments first, particularly for critical mesh network infrastructure. Patch deployment should follow your organization's change management process; kernel updates typically require system restart. Verify the patched kernel is running post-reboot using `uname -r` and confirm B.A.T.M.A.N. module functionality through routing table inspection.
Detection guidance
Monitor kernel logs for memory corruption errors, page faults, or segmentation faults correlated with B.A.T.M.A.N. routing activity. Systems using kernel debugging facilities (CONFIG_DEBUG_PAGEALLOC, CONFIG_KASAN) may detect use-after-free access patterns earlier. Network anomalies in mesh topologies—unexpected routing changes, neighbor discovery failures, or sudden peer disconnections—may indicate exploitation attempts. Review kernel version and B.A.T.M.A.N. module status across your infrastructure to identify unpatched systems.
Why prioritize this
This vulnerability merits high priority due to its CVSS 8.8 severity score, practical exploitability within local network segments, and potential for both denial-of-service and code execution. While the attack surface is limited to network-adjacent threats, mesh networking and edge infrastructure deployments have become increasingly prevalent. Organizations relying on B.A.T.M.A.N. for critical connectivity should treat this as urgent.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the confluence of high-impact outcomes (complete confidentiality, integrity, and availability compromise), low attack complexity, absence of privilege or user interaction requirements, and restricted but practical attack vector (adjacent network). The score appropriately elevates the threat beyond moderate due to the use-after-free's potential for kernel privilege escalation within affected mesh topologies.
Frequently asked questions
Does this affect my Linux desktop or laptop if I'm not running B.A.T.M.A.N. explicitly?
Most standard Linux desktop and server deployments do not enable B.A.T.M.A.N. routing. The vulnerability is relevant primarily to systems that explicitly load or compile the batman-adv kernel module, which is common in mesh networks, wireless community networks, and specialized edge deployments. Verify your kernel configuration or module list; if batman-adv is absent, your risk is minimal, though patching remains a best practice.
What's the difference between B.A.T.M.A.N. advanced (batman-adv) and the B.A.T.M.A.N. routing daemon?
B.A.T.M.A.N. advanced (batman-adv) is a kernel-level layer 2 mesh routing protocol; this CVE affects the in-kernel implementation. The B.A.T.M.A.N. routing daemon (batmand) is a separate user-space application for layer 3 routing. This vulnerability does not directly affect batmand, though users of either should verify their specific deployment architecture.
If I'm in a standard enterprise network without mesh routing, should I still patch?
If your infrastructure does not use B.A.T.M.A.N. advanced routing, this CVE is not a direct threat. However, general kernel security patching remains important for defense-in-depth. Coordinate with your Linux distribution's recommendations and your organization's patch management cycle.
What should I do if I cannot patch immediately?
For systems that cannot be patched urgently, restrict local network access to trusted peers and monitor kernel logs closely for signs of memory corruption. If your infrastructure permits, consider temporarily disabling B.A.T.M.A.N. routing until patches are available. Document the gap and establish a timeline for remediation through your change management process.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. CVSS scores, vulnerability status, and patch availability are based on source data current as of the publication date. Organizations should verify patch version numbers, affected product versions, and distribution-specific advisories directly with vendors and distribution maintainers. Exploit code is not provided or discussed; use of this information for unauthorized system access is illegal. Test all patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment