CVE-2026-52934 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.

The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< c02aa6c0c9d1bea9bb75dea362b75ad225137bae
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< 1595628a2f877d052eda18865ccf539392c47c04
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< 6448a49344e87487b61bd88cb850cd694a0f576d
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< 13493b00dd1e05a705981e052158652ea23eb482
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< 94db72e9dac202e017ee3db22c59d17e4f3bf171
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< ede47988ac5687793745b17c1634a496a2299919
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< 94a3d72cd9b21116d7c6d5bdc57c11401fc28557
`ef26157747d42254453f6b3ac2bd8bd3c53339c3`	affected	< f50487e3566358b2b982b7801945e858c78ad9ab

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.93`	unaffected	≤ 6.12.*
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482
https://git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04
https://git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d
https://git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557
https://git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171
https://git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae
https://git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919
https://git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
Title		batman-adv: tvlv: reject oversized TVLV packets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482 https://git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04 https://git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d https://git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557 https://git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171 https://git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae https://git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919 https://git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:25.321Z

Updated: 2026-06-24T07:14:25.321Z

Reserved: 2026-06-09T07:44:35.369Z

Link: CVE-2026-52934

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object