HIGH
batman-adv TpMeter Race
CVE-2026-46206
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges (CAP_NET_ADMIN) can trigger a race condition in batman-adv's throughput meter during mesh teardown, potentially causing kernel crashes or denial of service. This affects systems using batman-adv mesh networking where users can initiate throughput measurements or process incoming mesh TP packets.
Vulnerability analysis
The vulnerability is a race condition between tp_meter session initialization/reception and mesh teardown. The original code allowed new throughput meter sender or receiver sessions to start, and incoming TP packets to be processed, even after the mesh state left BATADV_MESH_ACTIVE. The fix adds atomic mesh_state checks at three critical points under the tp_list_lock spinlock: batadv_tp_start() for sender sessions, batadv_tp_init_recv() for receiver sessions, and batadv_tp_meter_recv() for inbound packet processing. These checks prevent new sessions from starting and drop packets when the mesh is not active, eliminating the race window. The attack surface is local, requiring CAP_NET_ADMIN (obtainable via user namespaces on default kernels) to configure batman-adv interfaces, initiate teardown, or start tp_meter sessions via batctl/netlink.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 0a7a840074c9 |
| 5.15 | 5.15.209 | dcff44644bb5 |
| 6.1 | 6.1.175 | 52e6ec3e972c |
| 6.12 | 6.12.90 | ff93f86ecbb5 |
| 6.18 | 6.18.32 | e1e2194cc725 |
| 6.6 | 6.6.140 | e4a3c4a4c8f6 |
| 7.0 | 7.0.9 | ca39545cf07c |
| mainline | 7.1-rc4 | 324354359242 |