In the Linux kernel, the following vulnerability has been resolved:
batman-adv: tvlv: reject oversized TVLV packets
batadvtvlvcontainerogmappend() builds a TVLV packet section from the tvlv.containerlist. The total size of this section is computed by batadvtvlvcontainerlist_size(), which sums the sizes of all registered containers.
The return type and accumulator in batadvtvlvcontainerlistsize() were u16. If the accumulated size exceeds U16MAX, the value wraps around, causing the subsequent allocation in batadvtvlvcontainerogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadvtvlvcontainerlistsize() to sizet. In batadvtvlvcontainerogmappend(), check the computed length against U16MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52934.json",
"cna_assigner": "Linux"
}