batman-adv: tvlv: reject oversized TVLV packets

Summary

CVECVE-2026-52934
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 08:16:23 UTC
Updated2026-06-28 08:16:24 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.

Risk And Classification

Primary CVSS: v3.1 8.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.002470000 probability, percentile 0.159070000 (date 2026-06-29)


VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary8.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED8.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 c02aa6c0c9d1bea9bb75dea362b75ad225137bae git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 1595628a2f877d052eda18865ccf539392c47c04 git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 6448a49344e87487b61bd88cb850cd694a0f576d git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 13493b00dd1e05a705981e052158652ea23eb482 git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 94db72e9dac202e017ee3db22c59d17e4f3bf171 git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 ede47988ac5687793745b17c1634a496a2299919 git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 94a3d72cd9b21116d7c6d5bdc57c11401fc28557 git Not specified
CNA Linux Linux affected ef26157747d42254453f6b3ac2bd8bd3c53339c3 f50487e3566358b2b982b7801945e858c78ad9ab git Not specified
CNA Linux Linux affected 3.13 Not specified
CNA Linux Linux unaffected 3.13 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.93 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.34 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.11 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report