Use-After-Free Vulnerability in Linux Kernel Affects Batman-adv Component
CVE-2026-46212

8.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-46212?

A use-after-free vulnerability has been identified in the batman-adv component of the Linux kernel. When the function batadv_bla_del_backbone_claims() is executed to remove all claims from a backbone, a link entry within a hash list is dropped. This action was found to be flawed as the reference for the link entry remains active until batadv_claim_put() is appropriately called after ensuring no further access to the claim object takes place. If batadv_claim_put() is invoked prematurely, there is a risk that the claim may be deallocated by batadv_claim_release() before the link entry is safely removed, leading to potential exploitation.

Affected Version(s)

Linux 23721387c409087fd3b97e274f34d3ddc0970b74 < 1d4b241482d9025c537afb3c7c8419c72c0e0c82

Linux 23721387c409087fd3b97e274f34d3ddc0970b74

References

https://git.kernel.org/stable/c/1d4b241482d9025c537afb3c7...

https://git.kernel.org/stable/c/a1a99837bb6169cfb9187abaa...

https://git.kernel.org/stable/c/b88c865dcf6e9f20bfe66a360...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46212 Data

JSON