Bug 2492114 (CVE-2026-52934) - CVE-2026-52934 kernel: batman-adv: tvlv: reject oversized TVLV packets
Summary: CVE-2026-52934 kernel: batman-adv: tvlv: reject oversized TVLV packets
Keywords:
Status: NEW
Alias: CVE-2026-52934
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 08:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 12:40 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 08:02:38 UTC 
In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.

The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Comment 1 Mauro Matteo Cascella 2026-06-24 12:32:57 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062433-CVE-2026-52934-ad11@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.