batman-adv: fix fragment reassembly length accounting_CVE-2026-52914

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix fragment reassembly length accounting

batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.

That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.

Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.

The fix was verified against the original reproducer and against valid
fragment reassembly paths.

Basic Information

ID CVE-2026-52914

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version 610bfc6bc99bc83680d190ebc69359a05fc7f605

Affected Versions Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605
Linux Linux 3.13

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix fragment reassembly length accounting\n\nbatman-adv keeps a running payload length for queued fragments and uses it\nto validate a fragment chain before reassembly.\n\nThat accounting currently allows the accumulated fragment length to be\ntruncated during updates. As a result, malformed fragment chains can\nbypass the intended validation and drive reassembly with inconsistent\nlength state, leading to a local denial of service.\n\nFix the accounting by storing the accumulated length in a length-typed\nfield and rejecting update overflows before the existing validation logic\nruns.\n\nThe fix was verified against the original reproducer and against valid\nfragment reassembly paths.",
    "published": "2026-06-24T07:14:11.906Z",
    "modified": "2026-06-28T06:36:31.785Z",
    "type": "cve",
    "title": "batman-adv: fix fragment reassembly length accounting",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e4f3f6b818aa6a678bc54a2d4e0bece2303c6a64\nhttps://git.kernel.org/stable/c/37be61825b15534a16ff9cfc9546de155b6df982\nhttps://git.kernel.org/stable/c/975563c5de1123dde1ec7946bf5556d20c89d74e\nhttps://git.kernel.org/stable/c/f653b040dad1af70fa5cd4fe085e4758925480c9\nhttps://git.kernel.org/stable/c/e910dbf509125fe51ad68e4fa74dc8ab0a8e787a\nhttps://git.kernel.org/stable/c/3eb8bcb823391bd58997831b3c9c152a4ba8e255\nhttps://git.kernel.org/stable/c/fdb2c96efb2baeb3725e9ce3ede8f1e36f5490f0\nhttps://git.kernel.org/stable/c/9cd3f16c320bfdadd4509358122368deb56a5741",
    "id": "CVE-2026-52914",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 610bfc6bc99bc83680d190ebc69359a05fc7f605\nLinux Linux 3.13",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "610bfc6bc99bc83680d190ebc69359a05fc7f605",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply