batman-adv: fix tp_meter counter underflow during shutdown_CVE-2026-52919

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix tp_meter counter underflow during shutdown

batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.

Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.

Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.

[sven: added missing change in batadv_tp_send]

Basic Information

ID CVE-2026-52919

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version 33a3bb4a3345bb511f9c69c913da95d4693e2a4e

Affected Versions Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 4.8

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix tp_meter counter underflow during shutdown\n\nbatadv_tp_sender_shutdown() unconditionally decrements the \"sending\"\natomic counter. If multiple paths (e.g. timeout, user cancel, and\nnormal finish) call this function, the counter can underflow to -1.\n\nSince the sender logic treats any non-zero value as \"still sending\",\na negative value causes the sender kthread to loop indefinitely.\nThis leads to a use-after-free when the interface is removed while\nthe zombie thread is still active.\n\nFix this by using atomic_xchg() to ensure the counter only transitions\nfrom 1 to 0 once.\n\n[sven: added missing change in batadv_tp_send]",
    "published": "2026-06-24T07:14:15.201Z",
    "modified": "2026-06-28T06:36:40.590Z",
    "type": "cve",
    "title": "batman-adv: fix tp_meter counter underflow during shutdown",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b\nhttps://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64\nhttps://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c\nhttps://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba\nhttps://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00\nhttps://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b\nhttps://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d\nhttps://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602",
    "id": "CVE-2026-52919",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 4.8",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply