Bug 2492100 (CVE-2026-52914)

Summary: CVE-2026-52914 kernel: batman-adv: fix fragment reassembly length accounting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's batman-adv component. This vulnerability allows a local attacker to cause a denial of service (DoS) by sending malformed fragment chains. The flaw is due to incorrect accounting of fragment reassembly length, which can be truncated during updates, bypassing validation and leading to inconsistent length states during reassembly.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-24 08:02:01 UTC
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix fragment reassembly length accounting

batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.

That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.

Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.

The fix was verified against the original reproducer and against valid
fragment reassembly paths.

Comment 1 Mauro Matteo Cascella 2026-06-24 13:04:49 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062428-CVE-2026-52914-f89a@gregkh/T