batman-adv: tp_meter: avoid use of uninit sender vars_CVE-2026-52931

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tp_meter: avoid use of uninit sender vars

batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the
BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it
proceeds to read sender-only members that were never initialized, leading
to undefined behavior.

This can be triggered when a node that is currently acting as a receiver in
an ongoing tp_meter session receives a malicious ACK packet.

Guard against this by checking tp_vars->role immediately after the
lookup and bailing out if it is not BATADV_TP_SENDER, before any of
those members are accessed.

Basic Information

ID CVE-2026-52931

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version 33a3bb4a3345bb511f9c69c913da95d4693e2a4e

Affected Versions Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e
Linux Linux 4.8

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tp_meter: avoid use of uninit sender vars\n\nbatadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the\nBATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it\nproceeds to read sender-only members that were never initialized, leading\nto undefined behavior.\n\nThis can be triggered when a node that is currently acting as a receiver in\nan ongoing tp_meter session receives a malicious ACK packet.\n\nGuard against this by checking tp_vars->role immediately after the\nlookup and bailing out if it is not BATADV_TP_SENDER, before any of\nthose members are accessed.",
    "published": "2026-06-24T07:14:23.349Z",
    "modified": "2026-06-28T06:36:51.143Z",
    "type": "cve",
    "title": "batman-adv: tp_meter: avoid use of uninit sender vars",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/0e388af04b3958b178a1b979527f93eb46ea1fee\nhttps://git.kernel.org/stable/c/1a21c055f66e78973712a4a1be2a554f1ee2e4f4\nhttps://git.kernel.org/stable/c/9884c9c02d3c90e9215db3c5128f59045d20ae91\nhttps://git.kernel.org/stable/c/53f931e0146ae5bdab4cba302646827d06b3794b\nhttps://git.kernel.org/stable/c/ecdaa3e4d91040206afe21bc8a0d1198a0971ff3\nhttps://git.kernel.org/stable/c/dc2ae5fbd2dadc26735092f140b246841d969a11\nhttps://git.kernel.org/stable/c/85397e48afe6be83ffca5ad3f4792296bfc81d3d\nhttps://git.kernel.org/stable/c/6c65cf23d4c6170fcf5714c32aa64689718cb142",
    "id": "CVE-2026-52931",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 33a3bb4a3345bb511f9c69c913da95d4693e2a4e\nLinux Linux 4.8",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "33a3bb4a3345bb511f9c69c913da95d4693e2a4e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply