In the Linux kernel, the following vulnerability has been resolved:
batman-adv: frag: disallow unicast fragment in fragment
batadvfragskbbuffer() is called by batadvbatmanskbrecv() when a BATADVUNICASTFRAG packet is received. Once all fragments are collected and the packet is reassembled, batadvrecvfragpacket() calls batadvbatmanskbrecv() again to process the defragmented payload.
A malicious sender can craft a BATADVUNICASTFRAG packet whose reassembled payload is itself a BATADVUNICASTFRAG packet (matryoshka-style nesting). Each nesting level recurses through batadvbatmanskb_recv() without bound, growing the kernel stack until it is exhausted.
Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADVUNICASTFRAG packets after the defragmentation process.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52916.json",
"cna_assigner": "Linux"
}