CVE-2026-52931

Source
https://cve.org/CVERecord?id=CVE-2026-52931
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52931.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52931
Downstream
Published
2026-06-24T07:14:23.349Z
Modified
2026-07-15T01:49:06.163263632Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
batman-adv: tp_meter: avoid use of uninit sender vars
Details

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tp_meter: avoid use of uninit sender vars

batadvtprecvack() and batadvtpstop() are only valid for tpvars in the BATADVTPSENDER role. When called with a BATADVTPRECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior.

This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet.

Guard against this by checking tpvars->role immediately after the lookup and bailing out if it is not BATADVTP_SENDER, before any of those members are accessed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52931.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Fixed
0e388af04b3958b178a1b979527f93eb46ea1fee
Fixed
1a21c055f66e78973712a4a1be2a554f1ee2e4f4
Fixed
9884c9c02d3c90e9215db3c5128f59045d20ae91
Fixed
53f931e0146ae5bdab4cba302646827d06b3794b
Fixed
ecdaa3e4d91040206afe21bc8a0d1198a0971ff3
Fixed
dc2ae5fbd2dadc26735092f140b246841d969a11
Fixed
85397e48afe6be83ffca5ad3f4792296bfc81d3d
Fixed
6c65cf23d4c6170fcf5714c32aa64689718cb142

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52931.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.8.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.142
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.92
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.34
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52931.json"