CRITICAL Published 2026-04-24

batman-adv Backbone Gateway UAF

CVE-2026-31657

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical use-after-free vulnerability in the batman-adv mesh networking subsystem could allow attackers to cause system crashes or potentially execute arbitrary code. The vulnerability occurs when backbone gateway objects are freed while still being accessed by netlink dump operations or claim checking, leading to memory corruption. This affects systems using batman-adv mesh networking with bridge loop avoidance enabled.

Affectednet/batman-adv/bridge_loop_avoidance.c

Vulnerability analysis

Root Cause: The batman-adv bridge loop avoidance code has a use-after-free vulnerability where claim->backbone_gw pointers can be dereferenced after the underlying backbone gateway object has been freed. In batadv_bla_add_claim(), the claim->backbone_gw can be replaced and the old gateway's last reference dropped while readers in other code paths (netlink dump and claim check) still follow the dangling pointer without proper reference counting.

Attack Surface: This vulnerability affects batman-adv mesh networks where bridge loop avoidance is enabled. The attack surface includes both local and network-based scenarios since batman-adv operates as a mesh networking protocol. The netlink dump functionality can be triggered by local processes with appropriate privileges, while the claim check path is part of normal mesh packet processing.

Fix Mechanism: The fix introduces proper reference counting by using batadv_bla_claim_get_backbone_gw() in both the netlink dump path (batadv_bla_claim_dump_entry) and claim check path (batadv_bla_check_claim). This function returns a stable reference to the backbone gateway that is held until the read operation completes, preventing the gateway from being freed while in use. The reference is properly released with batadv_backbone_gw_put() when done.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`5202f071b367`
5.15	5.15.209	`69d1ce9c72ec`
6.1	6.1.169	`f4858832ddef`
6.12	6.12.82	`7962b5222226`
6.18	6.18.23	`4dee4c068844`
6.19	6.19.13	`1f2dc36c297d`
6.6	6.6.135	`2f55b58b5a0b`
mainline	7.0	`82d8701b2c93`