CVE-2026-52914
CRITICAL 9.8In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix fragment reassembly length accounting batman-adv keeps a running payload length for queued fragments and uses it to validate a fragment chain before reassembly. That accounting currently allows the accumulated fragment length to be truncated during updates. As a result, malformed fragment chains can bypass the intended validation and drive reassembly with inconsistent length state, leading to a local denial of service. Fix the accounting by storing the accumulated length in a length-typed field and rejecting update overflows before the existing validation logic runs. The fix was verified against the original reproducer and against valid fragment reassembly paths.
Severe if exploited (CVSS 9.8), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.5%chance of exploitation in 30 days · 40th percentile
Impact if exploited
9.8CVSS 3.1 · CRITICAL
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
Not classified.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Technical & other
- https://git.kernel.org/stable/c/e4f3f6b818aa6a678bc54a2d4e0bece2303c6a64
- https://git.kernel.org/stable/c/37be61825b15534a16ff9cfc9546de155b6df982
- https://git.kernel.org/stable/c/975563c5de1123dde1ec7946bf5556d20c89d74e
- https://git.kernel.org/stable/c/f653b040dad1af70fa5cd4fe085e4758925480c9
- https://git.kernel.org/stable/c/e910dbf509125fe51ad68e4fa74dc8ab0a8e787a
- https://git.kernel.org/stable/c/3eb8bcb823391bd58997831b3c9c152a4ba8e255
- https://git.kernel.org/stable/c/fdb2c96efb2baeb3725e9ce3ede8f1e36f5490f0
- https://git.kernel.org/stable/c/9cd3f16c320bfdadd4509358122368deb56a5741