HarborGuard / CVE
Back to search
HIGHCVE-2026-46206Published Modified CNA Linux

CVE-2026-46206: batman-adv: reject new tp_meter sessions during teardown

In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free or race-condition flaw exists in the Linux kernel's batman-adv mesh networking subsystem, specifically in the tp_meter component. An attacker with a low-privilege local account can trigger the vulnerability by initiating new throughput-meter sessions during the mesh interface teardown sequence, after the mesh state has left BATADV_MESH_ACTIVE. Successful exploitation grants full read, write, and crash capability over the affected kernel context. A patched-image rebuild at the fix versions (6.6.140, 6.12.90, 6.18.32, and the corresponding commit for each stable branch) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

HarborGuard ingests CVE records from upstream feeds, including the Linux kernel CNA, within minutes of publication and is capable of matching this CVE against every customer image in connected registries and CI pipelines. Detection coverage extends to custom-built images that bundle an affected kernel version, not only upstream base images.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each environment's compliance policy to escalate or suppress notifications appropriately. Triage routing to the correct team inbox within each customer organization is available as part of the standard policy engine.

Available
Patch

A patched-image rebuild at the fix versions (6.6.140, 6.12.90, or 6.18.32 depending on the branch in use) is available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing service exposure is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; no administrative or root credentials are needed to trigger the vulnerable code path.

  • Victim interactionNot required

    No user interaction is required; the attacker can execute the exploit entirely on their own.

  • Attack complexityDetail

    Exploit reliability is high and no special environmental conditions, race wins, or memory-layout dependencies are noted in the CVSS scoring.

Blast Radius

  • Reads arbitrary kernel memory, exposing credentials, cryptographic material, or other sensitive data held in kernel space.
  • Writes to kernel memory structures, allowing modification of security-relevant kernel state or persisted data.
  • Crashes the affected kernel, taking down the entire host and all workloads running on it.
  • The scope is contained to the compromised host (CVSS Scope:Unchanged), so lateral movement requires a separate step.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46206 is active across all connected environments and will match any image running a kernel version in the affected range. Where compliance policy permits, customers with auto-remediation enabled can receive a rebuilt image at 6.6.140, 6.12.90, or 6.18.32 (branch-dependent), a regression-test run, and a PR opened against affected workloads. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 7.8 HIGH severity and fix-version guidance so engineering teams can schedule the kernel update. Because the vulnerability requires local access, compensating controls such as restricting shell access to nodes running batman-adv interfaces and enforcing least-privilege pod security policies can reduce exposure while a patched image is prepared. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

03243543592425beec83d453793e9d27caa0d8e666.6.1406.12.906.18.327.0.97.1-rc4ca39545cf07c142b39d474a1439a046bf28def3de1e2194cc725ec1d41f9412496212f0fa0519c36e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6ff93f86ecbb50a4709c403fc279a396e308edde5
Affected packages
  • Linux / Linux
    < e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < ff93f86ecbb50a4709c403fc279a396e308edde5 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < e1e2194cc725ec1d41f9412496212f0fa0519c36 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < ca39545cf07c142b39d474a1439a046bf28def3d (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 3243543592425beec83d453793e9d27caa0d8e66 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e)
  • Linux / Linux
    4.8
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References