CVE-2026-52919
Analyzed Analyzed - Analysis Complete

batadv_tp_sender counter underflow in Linux kernel

Vulnerability report for CVE-2026-52919, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix tp_meter counter underflow during shutdown batadv_tp_sender_shutdown() unconditionally decrements the "sending" atomic counter. If multiple paths (e.g. timeout, user cancel, and normal finish) call this function, the counter can underflow to -1. Since the sender logic treats any non-zero value as "still sending", a negative value causes the sender kthread to loop indefinitely. This leads to a use-after-free when the interface is removed while the zombie thread is still active. Fix this by using atomic_xchg() to ensure the counter only transitions from 1 to 0 once. [sven: added missing change in batadv_tp_send]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-08
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.92 (exc)
linux linux_kernel From 4.8 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.34 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.142 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's batman-adv component, specifically in the tp_meter counter during shutdown. The function batadv_tp_sender_shutdown() decreases an atomic counter called "sending" unconditionally. If this function is called multiple times from different paths (such as timeout, user cancel, or normal finish), the counter can underflow to -1.

Because the sender logic treats any non-zero value as "still sending," a negative value causes the sender kernel thread to loop indefinitely. This results in a use-after-free condition when the network interface is removed while this zombie thread is still active.

The fix involves using atomic_xchg() to ensure the counter only transitions from 1 to 0 once, preventing the underflow.

Impact Analysis

This vulnerability can cause a kernel thread to loop indefinitely, leading to a use-after-free condition in the Linux kernel's batman-adv networking component.

Such a use-after-free can potentially cause system instability, crashes, or unpredictable behavior when the affected network interface is removed while the zombie thread is still active.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the batman-adv tp_meter counter underflow issue is resolved.

Specifically, the fix involves correcting the batadv_tp_sender_shutdown() function to prevent the atomic counter from underflowing, which avoids the sender kthread looping indefinitely and causing a use-after-free.

  • Update your Linux kernel to the latest version that includes this fix.
  • Avoid removing interfaces while the sender thread is active until the fix is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52919. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart