Back to overview

CVE-2026-52916

Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

Metadata

CVE ID
CVE-2026-52916
State
PUBLISHED
Assigner
Linux
Reserved
2026-06-09 07:44 UTC
Published
2026-06-24 07:14 UTC
Last updated
2026-06-24 07:14 UTC
Vendor / Product
Linux / Linux
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (2)
VendorProductPlatformVersions
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605 < 0c208fa3859e3a33a1c38bebc41d021166e94ac8, 610bfc6bc99bc83680d190ebc69359a05fc7f605 < bcda4814dc6524283c0b958882cb963d75fe411d, 610bfc6bc99bc83680d190ebc69359a05fc7f605 < aea54d0bbe156d5ab7d00d68f66149ff41f4612a, 610bfc6bc99bc83680d190ebc69359a05fc7f605 < b54e459cf86943583c1aa2ee3081874e7ab1f5f3 …
Linux Linux 3.13, 0 < 3.13, 5.10.258 ≤ 5.10.*, 5.15.209 ≤ 5.15.* …
References (8)
Back to overview