PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46238 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking) subsystem, specifically within the BAT IV (BATMAN IV) routing protocol implementation. The vulnerability stems from improper pointer management where originator pointers derived from temporary lookups were cached in neighbor node structures without ownership. These cached pointers could reference freed memory after originator purge handling executed, leading to potential use-after-free conditions when the stale pointers were subsequently accessed. The fix removes the auxiliary originator pointer storage from BAT IV neighbor state, instead resolving originator data on-demand from the stored neighbor address and properly dropping references after use. This vulnerability affects systems utilizing batman-adv with BAT IV routing in mesh networking configurations.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations operating Linux-based mesh networks using batman-adv with BAT IV routing, including community wireless networks, emergency communication systems, and IoT/edge deployments relying on ad-hoc networking capabilities

Technical summary

The batman-adv kernel module implements mesh networking protocols including BATMAN IV (BAT IV). In BAT IV, each neigh_node structure maintains the last-hop neighbor address. The vulnerability occurred because certain code paths cached an originator pointer obtained from temporary lookups directly in the neighbor state. This cached pointer was not owned by the neigh_node structure and lacked proper reference counting. When originator purge handling ran—typically during memory pressure or periodic cleanup—originator entries could be freed while the cached pointer in neigh_node remained unchanged. Subsequent access to this stale pointer resulted in use-after-free memory corruption. The resolution removes the auxiliary originator pointer field from BAT IV neighbor state entirely. Originators are now resolved dynamically from the stored neighbor address when needed, with explicit reference acquisition and release ensuring proper lifetime management. The fix additionally avoids bonding logic for outgoing OGM (Originator Message) packets as noted in the commit attribution.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the referenced stable branch commits when available from your Linux distribution
  • Review systems utilizing batman-adv mesh networking with BAT IV routing protocol
  • Monitor NVD entry for CVSS score assignment and severity rating
  • Validate kernel version against patched commits: 09dc0d1a12222ffca6481916eab3cfea477b9620, 67bceeb22207f1f5a402973a3a0809e5f2698f38, 6e20700f8c524ac379ba8274ff5d453023b7c006, aafcbaf1159ea224528ca4075d0ba8c10ef374af, f03
  • 8583532941b07761c5429de7d50766fa3110

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry published 2026-05-28. Kernel.org git commits provided as references confirm the fix implementation across stable kernel branches. No CVSS score or severity rating currently assigned by NVD (status: Awaiting Analysis). Vendor identification marked as low confidence requiring review; 'Kernel' referenced as domain candidate.

Official resources

2026-05-28