CVE-2026-52916
Analyzed Analyzed - Analysis Complete

Denial of Service in Linux Kernel via Fragmented Packets

Vulnerability report for CVE-2026-52916, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.92 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.34 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.142 (exc)
linux linux_kernel From 3.13 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's batman-adv module, specifically in the handling of fragmented unicast packets (BATADV_UNICAST_FRAG).

A malicious sender can craft a specially designed fragmented packet whose reassembled payload is itself another fragmented packet, creating a nested or 'matryoshka-style' structure.

When the kernel processes these nested fragments, it recursively calls the packet receive function without limit, causing the kernel stack to grow until it is exhausted.

The vulnerability arises because the kernel does not properly discard packets that remain fragmented after defragmentation, allowing this unbounded recursion.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting the kernel stack.

An attacker sending crafted nested fragmented packets can cause the Linux kernel to crash or become unresponsive due to stack exhaustion.

This can disrupt normal network operations and potentially affect the availability of systems running the vulnerable batman-adv module.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the issue has been resolved.

The fix involves discarding all BATADV_UNICAST_FRAG packets that remain BATADV_UNICAST_FRAG packets after the defragmentation process, preventing nested fragments from exhausting the kernel stack.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52916. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart