Bug 2492113 (CVE-2026-52916) - CVE-2026-52916 kernel: batman-adv: frag: disallow unicast fragment in fragment
Summary: CVE-2026-52916 kernel: batman-adv: frag: disallow unicast fragment in fragment
Keywords:
Status: NEW
Alias: CVE-2026-52916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 08:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 10:34 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 08:02:34 UTC
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: frag: disallow unicast fragment in fragment

batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.

A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.

Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.

Comment 1 Mauro Matteo Cascella 2026-06-24 10:31:05 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52916-3619@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.