How is CVE-2026-52931 exploited?

Network reachability (required): The attacker must reach the target node over the network; the vulnerable code path is triggered by a remotely sent crafted ACK packet. Authentication (not-required): No account or credential is needed; the malicious ACK packet can be sent by any unauthenticated network peer. Victim interaction (not-required): No action by a user on the target node is required; the exploit succeeds purely through receipt of the crafted packet. Attack complexity (info): Attack complexity is low; the exploit is reliable and requires no race condition, special memory layout, or environmental precondition beyond the target being in an active tp_meter receiver session.

What is the impact of CVE-2026-52931?

A successful attacker causes the kernel to read uninitialized sender-only memory, which can expose sensitive kernel memory contents including cryptographic material, session state, or pointer values. The undefined behavior from accessing uninitialized variables allows arbitrary kernel memory writes, enabling an attacker to overwrite kernel data structures and escalate privileges or inject malicious code into kernel context. The attacker can crash the affected node entirely by corrupting kernel state through the uninitialized variable access, causing a kernel panic and full service disruption.

Back to search

CRITICALCVE-2026-52931Published 2026-06-24Modified 2026-06-28CNA Linux

CVE-2026-52931: batman-adv: tp_meter: avoid use of uninit sender vars

In the Linux kernel, the following vulnerability has been resolved: batman-adv: tp_meter: avoid use of uninit sender vars batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior. This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

This is a use-of-uninitialized-variable vulnerability in the Linux kernel's batman-adv mesh networking throughput-meter (tp_meter) subsystem. It is reachable over the network with no authentication required, and affects any node running batman-adv that is acting as a receiver in an active tp_meter session. A remote attacker who sends a crafted ACK packet to such a node can trigger undefined behavior by forcing the kernel to read sender-only state variables that were never initialized, enabling full read, write, and crash-level impact on the affected host. Patched-image rebuilds at fix versions 5.10.258 and 5.15.209 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52931 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel version. Any image in a customer registry or CI/CD pipeline that contains a vulnerable batman-adv kernel build is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the provided CVSS v3.1 vector and weighs that score against each environment's active compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available

Patch

A patched-image rebuild targeting kernel versions 5.10.258 and 5.15.209 becomes available in HarborGuard the moment those upstream releases are confirmed in the advisory. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression-test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target node over the network; the vulnerable code path is triggered by a remotely sent crafted ACK packet.
AuthenticationNot required
No account or credential is needed; the malicious ACK packet can be sent by any unauthenticated network peer.
Victim interactionNot required
No action by a user on the target node is required; the exploit succeeds purely through receipt of the crafted packet.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no race condition, special memory layout, or environmental precondition beyond the target being in an active tp_meter receiver session.

Blast Radius

A successful attacker causes the kernel to read uninitialized sender-only memory, which can expose sensitive kernel memory contents including cryptographic material, session state, or pointer values.
The undefined behavior from accessing uninitialized variables allows arbitrary kernel memory writes, enabling an attacker to overwrite kernel data structures and escalate privileges or inject malicious code into kernel context.
The attacker can crash the affected node entirely by corrupting kernel state through the uninitialized variable access, causing a kernel panic and full service disruption.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all customer registries and pipelines scanning Linux-based images. Because this is rated 9.8 CRITICAL, it is prioritized at the top of the triage queue and routed according to each environment's compliance policy immediately on match. Where compliance policy permits auto-remediation, HarborGuard will rebuild images at kernel version 5.10.258 or 5.15.209 (whichever branch applies), run a regression test pass, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that do not enable auto-remediation, HarborGuard surfaces the finding with remediation guidance pointing to the specific fix commits so teams can coordinate their own upgrade cycle. In the interim, network-policy isolation limiting which peers can send batman-adv control traffic to receiver nodes is a practical compensating control to reduce exposure while an upgrade is scheduled.

See how HarborGuard automates this

Fix available

00e388af04b3958b178a1b979527f93eb46ea1fee1a21c055f66e78973712a4a1be2a554f1ee2e4f45.10.2585.15.20953f931e0146ae5bdab4cba302646827d06b3794b6.1.1756.6.1426.12.926.18.346c65cf23d4c6170fcf5714c32aa64689718cb1427.0.117.185397e48afe6be83ffca5ad3f4792296bfc81d3d9884c9c02d3c90e9215db3c5128f59045d20ae91dc2ae5fbd2dadc26735092f140b246841d969a11ecdaa3e4d91040206afe21bc8a0d1198a0971ff3

Affected packages

Linux / Linux
< 0e388af04b3958b178a1b979527f93eb46ea1fee (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 1a21c055f66e78973712a4a1be2a554f1ee2e4f4 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 9884c9c02d3c90e9215db3c5128f59045d20ae91 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < 53f931e0146ae5bdab4cba302646827d06b3794b (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < ecdaa3e4d91040206afe21bc8a0d1198a0971ff3 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e) · < dc2ae5fbd2dadc26735092f140b246841d969a11 (from 33a3bb4a3345bb511f9c69c913da95d4693e2a4e)
Linux / Linux
4.8
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available