CVE-2026-52931
Received Received - Intake
Use of Uninitialized Sender Variables in batman-adv tp_meter

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: tp_meter: avoid use of uninit sender vars batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior. This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52931
EUVD
EUVD-2026-38701
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's batman-adv module, specifically in the tp_meter component. The functions batadv_tp_recv_ack() and batadv_tp_stop() are designed to operate only when the tp_vars structure has the role BATADV_TP_SENDER. However, if these functions are called when the role is BATADV_TP_RECEIVER, they attempt to read sender-only variables that were never initialized. This leads to undefined behavior.

The issue can be triggered when a node acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. The fix involves checking the role immediately after looking up tp_vars and exiting early if the role is not BATADV_TP_SENDER, preventing access to uninitialized sender variables.

Impact Analysis

This vulnerability can cause undefined behavior in the Linux kernel's batman-adv module when a malicious ACK packet is received by a node acting as a receiver. Undefined behavior in kernel code can potentially lead to system instability, crashes, or other unpredictable outcomes, which may affect the reliability and security of the affected system.

Mitigation Strategies

The vulnerability is resolved by ensuring that the functions batadv_tp_recv_ack() and batadv_tp_stop() only operate on tp_vars with the BATADV_TP_SENDER role. To mitigate this vulnerability immediately, you should update your Linux kernel to a version where this fix is applied.

Specifically, the fix involves checking the tp_vars->role immediately after lookup and exiting if it is not BATADV_TP_SENDER, preventing access to uninitialized sender-only members.

Until you can update, consider monitoring or blocking malicious ACK packets that could trigger this issue in ongoing tp_meter sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart