HarborGuard / CVE
Back to search
HIGHCVE-2026-46238Published Modified CNA Linux

CVE-2026-46238: batman-adv: stop caching unowned originator pointers in BAT IV

In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM]

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the batman-adv mesh networking subsystem of the Linux kernel. The BAT IV routing algorithm cached an originator pointer inside neighbor-node state without owning a reference to it; after purge handling reclaimed the originator entry, the stale pointer remained accessible, allowing memory corruption. An attacker on the same adjacent network segment, with no authentication required, can exploit this to read memory contents, corrupt kernel data structures, or crash the host. Patched-image rebuilds at Linux kernel versions 6.6.140, 6.12.90, and 6.18.32 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images that package affected kernel versions. Any image whose kernel falls below the fixed versions is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each environment's compliance policy to determine urgency tier. Triage routing can direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at kernel versions 6.6.140, 6.12.90, or 6.18.32 becomes available through HarborGuard once the upstream fix is confirmed in the image layer. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on the same adjacent network, such as a LAN, wireless segment, or VPN, to reach a host running the vulnerable batman-adv interface; remote exploitation over the general internet is not possible.

  • AuthenticationNot required

    No authentication or account credentials of any kind are needed to trigger the vulnerability.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no user or administrator action on the target host is required.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

Blast Radius

  • A successful attacker reads arbitrary kernel memory from the affected host, exposing credentials, cryptographic keys, or other sensitive data held in kernel space.
  • The attacker writes to freed memory, corrupting kernel data structures and enabling privilege escalation or arbitrary code execution in kernel context.
  • The attacker triggers a kernel panic or oops, crashing the host and causing a denial of service for all workloads running on it.
  • Any container or VM sharing the affected kernel is exposed to the same impact, not only the process that handles batman-adv traffic.

How HarborGuard Handles This

Available on HarborGuard: detection is matched against all images in connected registries and build pipelines within minutes of CVE publication, covering both upstream base images and internally built images. For environments running an affected kernel, a patched-image rebuild targeting 6.6.140, 6.12.90, or 6.18.32 is available as soon as the fixed kernel is present in the image layer. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute the configured regression-test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or network topology permits, compensating controls include isolating hosts running batman-adv behind strict Layer-2 network policies to prevent untrusted adjacent-network peers from sending crafted OGM traffic while a kernel upgrade is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

009dc0d1a12222ffca6481916eab3cfea477b96206.6.1406.12.906.18.3267bceeb22207f1f5a402973a3a0809e5f2698f386e20700f8c524ac379ba8274ff5d453023b7c0067.0.97.1-rc4aafcbaf1159ea224528ca4075d0ba8c10ef374aff03e8583532941b07761c5429de7d50766fa3110
Affected packages
  • Linux / Linux
    < aafcbaf1159ea224528ca4075d0ba8c10ef374af (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < 6e20700f8c524ac379ba8274ff5d453023b7c006 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < 09dc0d1a12222ffca6481916eab3cfea477b9620 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < 67bceeb22207f1f5a402973a3a0809e5f2698f38 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3) · < f03e8583532941b07761c5429de7d50766fa3110 (from c6c8fea29769d998d94fcec9b9f14d4b52b349d3)
  • Linux / Linux
    2.6.38
    Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References