CVE-2026-52934
HIGH 8.8In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
Severe if exploited (CVSS 8.8), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 16th percentile
Impact if exploited
8.8CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ⚠Access: Must sit on the same / adjacent network
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
Not classified.
CVSS vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Technical & other
- https://git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae
- https://git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04
- https://git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d
- https://git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482
- https://git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171
- https://git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919
- https://git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557
- https://git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab