PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46208 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking) subsystem. The tp_meter (throughput meter) sessions remain linked on bat_priv->tp_list after netlink requests complete. When a mesh interface is removed, batadv_mesh_free() tears down the mesh without first draining these active sessions. A running sender thread or late incoming tp_meter packet can then continue processing against a mesh instance that is already shutting down, leading to potential use-after-free conditions. The fix synchronizes tp_meter with mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux systems with batman-adv mesh networking enabled, particularly embedded systems, wireless mesh deployments, and distributions shipping batman-adv as a loadable kernel module.

Technical summary

The batman-adv kernel module fails to properly synchronize tp_meter session teardown with mesh interface removal. When batadv_mesh_free() is called during mesh teardown, active tp_meter sessions may continue running against freed memory. The vulnerability is triggered when: (1) tp_meter sessions remain on bat_priv->tp_list after netlink requests finish, (2) mesh interface removal initiates teardown via batadv_mesh_free(), and (3) sender threads or incoming packets access the partially torn-down mesh instance. The resolution stops all active tp_meter sessions and waits for sender thread exit before completing mesh teardown.

Defensive priority

medium

Recommended defensive actions

  • Review kernel version and confirm if batman-adv module is loaded or mesh interfaces are configured
  • Apply kernel updates containing the referenced stable commits when available from your distribution
  • Monitor for kernel updates addressing CVE-2026-46208 in vendor security advisories
  • If running custom kernel builds, cherry-pick the appropriate stable commit for your kernel version
  • Consider disabling batman-adv mesh interfaces if not required until patches can be applied

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-28. The fix involves modifying batadv_mesh_free() to properly synchronize tp_meter session teardown with mesh interface removal. Multiple stable kernel commits are referenced, indicating backports to various kernel versions.

Official resources

2026-05-28