CVE-2026-52934
Received Received - Intake
Buffer Overflow in Linux Kernel batman-adv TVLV Handling

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52934
EUVD
EUVD-2026-38704
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's batman-adv component, specifically in the handling of TVLV packets. The function batadv_tvlv_container_list_size() calculates the total size of a TVLV packet section using a 16-bit unsigned integer (u16) accumulator. If the total size exceeds the maximum value for u16 (U16_MAX), the size value wraps around, resulting in an undersized allocation in batadv_tvlv_container_ogm_append(). Consequently, a memcpy-style operation writes beyond the allocated buffer, causing kernel memory corruption.

The fix involved changing the return type of batadv_tvlv_container_list_size() to size_t to prevent overflow, and adding a check in batadv_tvlv_container_ogm_append() to ensure the computed length does not exceed U16_MAX, aborting the operation if it does.

Impact Analysis

This vulnerability can lead to kernel memory corruption due to a buffer overflow caused by an undersized memory allocation followed by an out-of-bounds write. Such corruption can destabilize the system, potentially causing crashes, data loss, or enabling an attacker to execute arbitrary code with kernel privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart