HarborGuard / CVE
Back to search
HIGHCVE-2026-46208Published Modified CNA Linux

CVE-2026-46208: batman-adv: stop tp_meter sessions during mesh teardown

In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free race condition exists in the batman-adv mesh networking module of the Linux kernel. The flaw is reachable locally by a low-privileged user and requires no interaction from another user. Successful exploitation gives an attacker full read, write, and crash capability over the affected system. A patched-image rebuild at kernel version 6.6.140 (and the listed commit fixes) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-46208 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built kernel or base images that carry an affected Linux kernel version. No manual configuration is required for the match to fire.

Available
Triage

HarborGuard scores this finding at CVSS 7.8 HIGH using the published v3.1 vector, and weighs it against each environment's compliance policy to assign priority. Triage results are routed to the appropriate team inbox within the customer org based on image ownership and policy rules.

Available
Patch

A patched-image rebuild targeting kernel 6.6.140 and the upstream fix commits becomes available on HarborGuard once a base image incorporating the fix is published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the target is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient to trigger the race condition during mesh interface teardown.

  • Victim interactionNot required

    No other user needs to take any action; the attacker can trigger the race entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race-window timing, memory layout guessing, or other environmental conditions beyond having local access.

Blast Radius

  • Reads protected kernel memory, including credentials, keying material, and data belonging to other processes.
  • Writes to kernel memory structures, allowing privilege escalation or persistent manipulation of kernel state.
  • Crashes the affected system by corrupting mesh teardown state, causing a kernel panic or oops.
  • Any container or workload sharing the host kernel is exposed because the vulnerability lives in kernel space, not in a user-space process.

How HarborGuard Handles This

Available on HarborGuard: once a base image carrying the 6.6.140 kernel or one of the listed fix commits is published upstream, a patched rebuild is made available for any customer image found to include an affected kernel version. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes the configured regression tests, and opens a patch PR against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is approximately 90 minutes. Where compliance policy does not permit auto-remediation, the finding is surfaced in the triage queue with the fix version details attached. Until a patched image is deployed, HarborGuard supports compensating controls through network policy annotations: because the batman-adv code path is only reachable from a local shell, restricting interactive access to nodes running this kernel module (for example, by enforcing PodSecurityAdmission policies that block privileged or host-network workloads) reduces the practical attack surface.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

003660dab86f93319178a24667f6998526dc4355d26dfeee8db81354bfdade155f27f9e16510ad1963d3cf6a7314aca4df0a6dde28ce784a2a30d01666.6.1406.12.906.18.327.0.97.1-rc479bc0eaeef2c5797317bf2da8e3159a74d62ec478634c1dbd73adb74d40533ebb7e914efb82e71fb
Affected packages
  • Linux / Linux
    < 79bc0eaeef2c5797317bf2da8e3159a74d62ec47 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 26dfeee8db81354bfdade155f27f9e16510ad196 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 03660dab86f93319178a24667f6998526dc4355d (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 8634c1dbd73adb74d40533ebb7e914efb82e71fb (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e)
  • Linux / Linux
    4.8
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References