CVE Catalog

CVE-2026-52916

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

In the Linux kernel, the batman-adv module is vulnerable to recursive processing of BATADV_UNICAST_FRAG packets. A malicious sender can craft a packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet, leading to unbounded recursion and kernel stack exhaustion.

Risk Assessment

An attacker can cause a kernel panic by sending specially crafted packets, resulting in network service disruption and potential denial of service.

Recommendation

Immediately update the Linux kernel to a version containing the fix that discards BATADV_UNICAST_FRAG packets after defragmentation. Check for the patch in your distribution and apply it urgently.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS