HIGH Published 2026-05-28

batman-adv Originator UAF

CVE-2026-46238

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI8.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM]

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Adjacent attackers can exploit a use-after-free vulnerability in the batman-adv mesh networking protocol by sending crafted OGM packets to an active mesh interface, achieving arbitrary kernel code execution or causing a kernel panic. The vulnerability affects systems running batman-adv mesh networks where cached originator pointers in BAT IV neighbor state become stale after originator purge handling runs.

Affectednet/batman-adv/bat_iv_ogm.c (batman-adv mesh networking)

Vulnerability analysis

The vulnerability stems from batman-adv BAT IV caching unowned originator pointers in neigh_node structures. These cached pointers are derived from temporary lookups but are not reference-counted, so they can become dangling pointers when originator entries are freed during asynchronous purge operations. When the stale pointer is later dereferenced during incoming OGM processing, it results in a use-after-free. Because the bug is triggered in the packet receive path, an adjacent mesh peer (or any host on the same layer-2 segment) can exploit it by sending batman-adv protocol frames to a target with an active mesh interface. The fix eliminates the cached originator pointer storage and instead performs fresh hash lookups with proper reference counting when originator data is needed.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.258	`86b2b58d7c22`
5.15	5.15.209	`384e3050a42b`
6.1	6.1.175	`8c16c68fdbb6`
6.12	6.12.90	`6e20700f8c52`
6.18	6.18.32	`09dc0d1a1222`
6.6	6.6.140	`aafcbaf1159e`
7.0	7.0.9	`67bceeb22207`
mainline	7.1-rc4	`f03e85835329`