CVE-2026-52916 - Vulnerability Details

- batman-adv: frag: disallow unicast fragment in fragment

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: frag: disallow unicast fragment in fragment

batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.

A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.

Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 0c208fa3859e3a33a1c38bebc41d021166e94ac8
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< bcda4814dc6524283c0b958882cb963d75fe411d
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< aea54d0bbe156d5ab7d00d68f66149ff41f4612a
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< b54e459cf86943583c1aa2ee3081874e7ab1f5f3
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 5418be6c2e117bf8a316582795a8e3ff90f45e5d
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 5895ad21c7059a652da83fb817510f7a1e962abf
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< 7138c35c9ad39a2fca6264af6b87466471f04ffc
`610bfc6bc99bc83680d190ebc69359a05fc7f605`	affected	< bc62216dc8e221e3781afa14430f45208bfa9af9

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.142`	unaffected	≤ 6.6.*
`6.12.92`	unaffected	≤ 6.12.*
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,0c208fa3859e3a33a1c38bebc41d021166e94ac8)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,5418be6c2e117bf8a316582795a8e3ff90f45e5d)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,5895ad21c7059a652da83fb817510f7a1e962abf)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,7138c35c9ad39a2fca6264af6b87466471f04ffc)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,aea54d0bbe156d5ab7d00d68f66149ff41f4612a)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,b54e459cf86943583c1aa2ee3081874e7ab1f5f3)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,bc62216dc8e221e3781afa14430f45208bfa9af9)`	affected	code_commit	—
`[610bfc6bc99bc83680d190ebc69359a05fc7f605,bcda4814dc6524283c0b958882cb963d75fe411d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.13`	affected	generic	—
`[0,3.13)`	unaffected	generic	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.142,6.7.0)`	unaffected	semver	—
`[6.12.92,6.13.0)`	unaffected	semver	—
`[6.18.34,6.19.0)`	unaffected	semver	—
`[7.0.11,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00177.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8
https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d
https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf
https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc
https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a
https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3
https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9
https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d
https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52916-3619@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52916
https://www.cve.org/CVERecord?id=CVE-2026-52916

History

Thu, 25 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52916-3619@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52916 https://www.cve.org/CVERecord?id=CVE-2026-52916

Wed, 24 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-674

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.
Title		batman-adv: frag: disallow unicast fragment in fragment
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8 https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3 https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9 https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:13.221Z

Updated: 2026-06-24T07:14:13.221Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52916

Vulnrichment

No data.

NVD

No data.

Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52916 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-25T02:00:05Z

Weaknesses

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object