Bug 2492114 (CVE-2026-52934)

Summary: CVE-2026-52934 kernel: batman-adv: tvlv: reject oversized TVLV packets
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking - Advanced) module. An integer overflow vulnerability in the TVLV (Type-Length-Value) packet processing can lead to an undersized memory allocation. This allows a subsequent operation to write beyond the intended buffer, causing kernel memory corruption. This issue could potentially be exploited by an attacker to achieve a denial of service or, in some cases, arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-24 08:02:38 UTC 
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.

The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Comment 1 Mauro Matteo Cascella 2026-06-24 12:32:57 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062433-CVE-2026-52934-ad11@gregkh/T