HIGH
batman-adv Claim UAF
CVE-2026-46212
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in batman-adv's bridge loop avoidance code allows adjacent network attackers to corrupt kernel memory or cause a denial of service. The flaw occurs when deleting backbone claims, where a claim object may be freed before its hash list entry is removed, leading to deterministic heap memory corruption and potential kernel crashes.
Vulnerability analysis
The vulnerability stems from incorrect ordering of operations in batadv_bla_del_backbone_claims(). The function calls batadv_claim_put() before hlist_del_rcu(), which can cause the claim object to be freed while the list deletion code still writes to it. Because hlist_del_rcu dereferences the claim to update hash list pointers, dropping the reference first results in a deterministic use-after-free write to heap memory. The fix reorders these operations to drop the reference only after the hash list entry is removed. This affects batman-adv mesh nodes with bridge loop avoidance enabled and requires adjacent network access to trigger.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 1d4b241482d9 |
| 5.15 | 5.15.209 | a1a99837bb61 |
| 6.1 | 6.1.175 | b88c865dcf6e |
| 6.12 | 6.12.90 | 6c5dc6d68e6b |
| 6.18 | 6.18.32 | 00155f336a5e |
| 6.6 | 6.6.140 | 368449e467d5 |
| 7.0 | 7.0.9 | 0cc9847c64cb |
| mainline | 7.1-rc4 | 4ae1709a3140 |