How is CVE-2026-46212 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment (LAN, VLAN, or VPN) as the target; remote exploitation over the open internet is not possible with this vector. Authentication (not-required): No account or credentials of any kind are required to attempt exploitation. Victim interaction (not-required): The attacker does not need to trick any user into performing an action; exploitation is entirely attacker-driven. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental factors beyond adjacency.

What is the impact of CVE-2026-46212?

Reads arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive in-memory data. Overwrites kernel memory structures, allowing the attacker to tamper with running processes or escalate to full kernel code execution. Crashes the affected host by corrupting freed memory, causing a kernel panic and complete service disruption. Any container or workload co-located on the host is exposed to the same impact because the vulnerability is at the kernel level.

Back to search

HIGHCVE-2026-46212Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46212: batman-adv: bla: prevent use-after-free when deleting claims

In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's batman-adv bridge loop avoidance (BLA) subsystem. An attacker on the same adjacent network segment can trigger the flaw without any authentication, exploiting a race between claim object de-reference and memory release in batadv_bla_del_backbone_claims(). Successful exploitation gives the attacker full read, write, and crash capability over the affected host. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. Any image whose kernel falls below the fixed commit is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer org based on workload ownership rules.

Available

Patch

A patched-image rebuild targeting the fixed kernel commits is available on HarborGuard for any image confirmed to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment (LAN, VLAN, or VPN) as the target; remote exploitation over the open internet is not possible with this vector.
AuthenticationNot required
No account or credentials of any kind are required to attempt exploitation.
Victim interactionNot required
The attacker does not need to trick any user into performing an action; exploitation is entirely attacker-driven.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental factors beyond adjacency.

Blast Radius

Reads arbitrary kernel memory, exposing cryptographic keys, session tokens, and other sensitive in-memory data.
Overwrites kernel memory structures, allowing the attacker to tamper with running processes or escalate to full kernel code execution.
Crashes the affected host by corrupting freed memory, causing a kernel panic and complete service disruption.
Any container or workload co-located on the host is exposed to the same impact because the vulnerability is at the kernel level.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image whose kernel predates the fixed commits (00155f336a5e8b, 0cc9847c64cb6e6, 368449e467d5f1e, 4ae1709a314060a). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched kernel version, executes regression tests, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the pull request is staged and routed to the owning team for approval. Customers who cannot immediately rebuild are advised to apply network-policy controls that restrict adjacency to the affected nodes, limiting the pool of hosts that can reach the batman-adv interface.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

000155f336a5e8b1006d2ca9ae7ad8fc4a44bb4010cc9847c64cb6e61118bc78c9187c8209a7197fa368449e467d5f1e2c2e987bf2bd57000ba75e10b4ae1709a314060a196981b344610d023ea841e576.6.1406.12.906.18.326c5dc6d68e6ba7f0224a757a39ed52fcdb54d4727.0.97.1-rc4

Affected packages

Linux / Linux
< 368449e467d5f1e2c2e987bf2bd57000ba75e10b (from 23721387c409087fd3b97e274f34d3ddc0970b74) · < 6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472 (from 23721387c409087fd3b97e274f34d3ddc0970b74) · < 00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401 (from 23721387c409087fd3b97e274f34d3ddc0970b74) · < 0cc9847c64cb6e61118bc78c9187c8209a7197fa (from 23721387c409087fd3b97e274f34d3ddc0970b74) · < 4ae1709a314060a196981b344610d023ea841e57 (from 23721387c409087fd3b97e274f34d3ddc0970b74)
Linux / Linux
3.5
Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available