batman-adv: tvlv: reject oversized TVLV packets_CVE-2026-52934

8.8 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.

The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.

Basic Information

ID CVE-2026-52934

Source Linux

Published Jun 24, 2026 at 07:14

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version ef26157747d42254453f6b3ac2bd8bd3c53339c3

Affected Versions Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3
Linux Linux 3.13

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tvlv: reject oversized TVLV packets\n\nbatadv_tvlv_container_ogm_append() builds a TVLV packet section from\nthe tvlv.container_list. The total size of this section is computed by\nbatadv_tvlv_container_list_size(), which sums the sizes of all registered\ncontainers.\n\nThe return type and accumulator in batadv_tvlv_container_list_size() were\nu16. If the accumulated size exceeds U16_MAX, the value wraps around,\ncausing the subsequent allocation in batadv_tvlv_container_ogm_append()\nto be undersized. The memcpy-style copy that follows would then write\nbeyond the end of the allocated buffer, corrupting kernel memory.\n\nFix this by widening the return type of batadv_tvlv_container_list_size()\nto size_t. In batadv_tvlv_container_ogm_append(), check the computed length\nagainst U16_MAX before proceeding, and bail out as if the allocation had\nfailed when the limit is exceeded.",
    "published": "2026-06-24T07:14:25.321Z",
    "modified": "2026-06-28T06:36:55.538Z",
    "type": "cve",
    "title": "batman-adv: tvlv: reject oversized TVLV packets",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c02aa6c0c9d1bea9bb75dea362b75ad225137bae\nhttps://git.kernel.org/stable/c/1595628a2f877d052eda18865ccf539392c47c04\nhttps://git.kernel.org/stable/c/6448a49344e87487b61bd88cb850cd694a0f576d\nhttps://git.kernel.org/stable/c/13493b00dd1e05a705981e052158652ea23eb482\nhttps://git.kernel.org/stable/c/94db72e9dac202e017ee3db22c59d17e4f3bf171\nhttps://git.kernel.org/stable/c/ede47988ac5687793745b17c1634a496a2299919\nhttps://git.kernel.org/stable/c/94a3d72cd9b21116d7c6d5bdc57c11401fc28557\nhttps://git.kernel.org/stable/c/f50487e3566358b2b982b7801945e858c78ad9ab",
    "id": "CVE-2026-52934",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux ef26157747d42254453f6b3ac2bd8bd3c53339c3\nLinux Linux 3.13",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "ef26157747d42254453f6b3ac2bd8bd3c53339c3",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply