CVE-2026-52916
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In the Linux kernel, the batman-adv module is vulnerable to recursive processing of BATADV_UNICAST_FRAG packets. A malicious sender can craft a packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet, leading to unbounded recursion and kernel stack exhaustion.
Risk Assessment
An attacker can cause a kernel panic by sending specially crafted packets, resulting in network service disruption and potential denial of service.
Recommendation
Immediately update the Linux kernel to a version containing the fix that discards BATADV_UNICAST_FRAG packets after defragmentation. Check for the patch in your distribution and apply it urgently.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

