HIGH
batman-adv TPMeter Race
CVE-2026-46208
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges (CAP_NET_ADMIN, obtainable via user namespaces) can trigger a use-after-free during batman-adv mesh interface teardown by removing the interface while TP meter sessions are active. This can lead to kernel crashes, information disclosure from freed heap memory, or limited memory corruption. This affects systems using batman-adv mesh networking where untrusted users or containers can create and destroy mesh interfaces.
Vulnerability analysis
The vulnerability is a race condition between mesh interface teardown and active TP meter sessions. When batadv_mesh_free() tears down a mesh interface, it does not synchronize with running TP meter sessions that remain on bat_priv->tp_list. Sender threads or late incoming packets can continue processing against a mesh instance that is already shutting down and being freed, leading to use-after-free conditions. The fix adds batadv_tp_stop_all() to the teardown path, which stops all active sessions and waits for sender threads to exit before mesh destruction continues.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | 26dfeee8db81 |
| 6.18 | 6.18.32 | 03660dab86f9 |
| 6.6 | 6.6.140 | 79bc0eaeef2c |
| 7.0 | 7.0.9 | 8634c1dbd73a |
| mainline | 7.1-rc4 | 3d3cf6a7314a |