CVE-2026-52934

Source
https://cve.org/CVERecord?id=CVE-2026-52934
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52934.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52934
Downstream
Published
2026-06-24T07:14:25.321Z
Modified
2026-07-10T03:54:50.220802902Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
batman-adv: tvlv: reject oversized TVLV packets
Details

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadvtvlvcontainerogmappend() builds a TVLV packet section from the tvlv.containerlist. The total size of this section is computed by batadvtvlvcontainerlist_size(), which sums the sizes of all registered containers.

The return type and accumulator in batadvtvlvcontainerlistsize() were u16. If the accumulated size exceeds U16MAX, the value wraps around, causing the subsequent allocation in batadvtvlvcontainerogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadvtvlvcontainerlistsize() to sizet. In batadvtvlvcontainerogmappend(), check the computed length against U16MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52934.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ef26157747d42254453f6b3ac2bd8bd3c53339c3
Fixed
c02aa6c0c9d1bea9bb75dea362b75ad225137bae
Fixed
1595628a2f877d052eda18865ccf539392c47c04
Fixed
6448a49344e87487b61bd88cb850cd694a0f576d
Fixed
13493b00dd1e05a705981e052158652ea23eb482
Fixed
94db72e9dac202e017ee3db22c59d17e4f3bf171
Fixed
ede47988ac5687793745b17c1634a496a2299919
Fixed
94a3d72cd9b21116d7c6d5bdc57c11401fc28557
Fixed
f50487e3566358b2b982b7801945e858c78ad9ab

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52934.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.13.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.93
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.34
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52934.json"