How is CVE-2026-46198 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment (LAN, VLAN, or VPN) as the target; remote internet-based access is not sufficient. Authentication (not-required): No account or credentials are needed to send crafted batman-adv OGM packets toward the target. Victim interaction (not-required): The vulnerability is triggered by network packets alone; no user on the target system needs to take any action. Attack complexity (info): Exploitation is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

What is the impact of CVE-2026-46198?

An attacker reads kernel memory outside the intended buffer, potentially exposing sensitive data such as credentials, keys, or other process memory contents. An attacker gains write-equivalent impact (CVSS I:H), enabling modification of kernel data structures or persisted state. An attacker can crash the affected kernel, taking down all workloads running on that host.

Back to search

HIGHCVE-2026-46198Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46198: batman-adv: fix integer overflow on buff_pos

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An integer overflow vulnerability in the Linux kernel's batman-adv mesh networking driver (batadv_iv_ogm_send_to_if) allows an attacker on the same network segment to trigger an out-of-bounds read. The flaw arises because a size check uses an int type while the buff_pos variable uses a signed 16-bit (s16) type, enabling the buffer position to wrap and read memory outside the intended region. Successful exploitation gives the attacker full read, write, and crash capability against the affected host. Patched-image rebuilds at fix versions 6.6.140, 6.12.90, and 6.18.32 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images, to surface any affected kernel packages. Scans run against both registry images and images in active CI/CD pipelines.

Available

Triage

HarborGuard scores this issue at CVSS 8.8 HIGH and weights it against each environment's compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting the fix versions (6.6.140, 6.12.90, or 6.18.32) becomes available through HarborGuard once the upstream fix is confirmed present in the base image. For customers who have auto-remediation enabled, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment (LAN, VLAN, or VPN) as the target; remote internet-based access is not sufficient.
AuthenticationNot required
No account or credentials are needed to send crafted batman-adv OGM packets toward the target.
Victim interactionNot required
The vulnerability is triggered by network packets alone; no user on the target system needs to take any action.
Attack complexityDetail
Exploitation is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

Blast Radius

An attacker reads kernel memory outside the intended buffer, potentially exposing sensitive data such as credentials, keys, or other process memory contents.
An attacker gains write-equivalent impact (CVSS I:H), enabling modification of kernel data structures or persisted state.
An attacker can crash the affected kernel, taking down all workloads running on that host.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in connected registries and pipelines, including custom-built images that package an affected kernel version. For environments running kernels older than 6.6.140, 6.12.90, or 6.18.32, a patched-image rebuild becomes available as soon as the fixed kernel package is present in the upstream base image. For customers who opt into auto-remediation, HarborGuard queues a rebuild, runs regression tests, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with fix-version guidance so engineers can act manually. As an interim compensating control, network policy rules that restrict layer-2 adjacency to the batman-adv interface will reduce exposure until the kernel image is rebuilt.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

00799e5943611006b346b8813c7daf7dd5aa26bfd6.6.1406.12.906.18.327.0.97.1-rc4974542d1efc48b7e9fe16184e647615cba39969bb252797bfced986d6d92ec2f4cfcca842ce8aa78bf872db54f91ffe70104b98c20068b2d5910e018f61499359fa529f0d45a53bf7c573a49eb6322e6

Affected packages

Linux / Linux
< f61499359fa529f0d45a53bf7c573a49eb6322e6 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < 974542d1efc48b7e9fe16184e647615cba39969b (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < bf872db54f91ffe70104b98c20068b2d5910e018 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < b252797bfced986d6d92ec2f4cfcca842ce8aa78 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < 0799e5943611006b346b8813c7daf7dd5aa26bfd (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3)
Linux / Linux
2.6.38
Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available