CVE-2026-46206 Overview
CVE-2026-46206 is a Linux kernel vulnerability in the batman-adv (Better Approach To Mobile Ad-hoc Networking, advanced) subsystem. The flaw allows new tp_meter (throughput meter) sender or receiver sessions to start after the mesh_state has transitioned out of BATADV_MESH_ACTIVE. The fix rejects new tp_meter sessions during mesh teardown to prevent use of partially torn-down state. The vulnerability has been resolved upstream in the mainline kernel through multiple stable backports.
Critical Impact
New tp_meter sessions starting during batman-adv mesh teardown can interact with state that is no longer active, creating a race condition between session initiation and subsystem shutdown.
Affected Products
- Linux kernel batman-adv subsystem (mainline)
- Linux stable kernel branches receiving the backported fix
- Distributions shipping affected kernel versions with batman-adv enabled
Discovery Timeline
- 2026-05-28 - CVE-2026-46206 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46206
Vulnerability Analysis
The batman-adv kernel module implements a layer-2 mesh routing protocol. It includes a tp_meter facility used to measure throughput between mesh nodes by establishing sender and receiver sessions. The subsystem tracks operational status through the mesh_state variable, which transitions through states including BATADV_MESH_ACTIVE during normal operation and other states during teardown.
Before the fix, tp_meter did not validate mesh_state when starting new sessions. A new sender or receiver session could be initiated after mesh_state had already left BATADV_MESH_ACTIVE. This creates a window where session setup proceeds against a subsystem already preparing to release resources.
See the kernel commit ff93f86e fix and parallel backports for the resolution details.
Root Cause
The root cause is a missing precondition check in the tp_meter session-start paths. The code did not confirm that mesh_state == BATADV_MESH_ACTIVE before allocating and registering session structures. This is a race condition between mesh teardown and session creation in the net/batman-adv source tree.
Attack Vector
The trigger requires the ability to invoke tp_meter operations on a system running batman-adv while the mesh interface is being torn down. This is a local kernel-side concurrency issue rather than a remote attack vector. The vulnerability description does not document any in-the-wild exploitation, and no public proof-of-concept is referenced.
The vulnerability manifests in the tp_meter session establishment functions within batman-adv. Refer to the upstream commits for the precise code paths and the added state validation.
Detection Methods for CVE-2026-46206
Indicators of Compromise
- No documented indicators of compromise are published for this issue.
- Kernel log warnings, oopses, or KASAN reports referencing batman-advtp_meter paths during interface teardown may indicate the race condition.
Detection Strategies
- Inventory hosts running kernels with batman-adv compiled or loaded, and compare against fixed kernel versions referenced in the linked stable commits.
- Monitor dmesg and journal output for batman-adv warnings co-occurring with mesh interface shutdown events.
- Use package management tooling to verify kernel build identifiers against vendor advisories.
Monitoring Recommendations
- Track loaded kernel modules across the fleet and alert when batman-adv is present on unexpected systems.
- Forward kernel logs to a centralized logging or SIEM platform to correlate tp_meter activity with mesh state transitions.
- Review change management records for kernel updates to confirm patched builds are deployed.
How to Mitigate CVE-2026-46206
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution that includes the batman-advtp_meter teardown fix.
- If patching is not immediately possible and batman-adv is not required, unload the module with modprobe -r batman_adv and blacklist it.
- Restrict access to interfaces capable of issuing tp_meter commands on affected systems.
Patch Information
The fix is committed across multiple stable branches. See the kernel commit 3243543592425beec83d453793e9d27caa0d8e66, kernel commit ca39545cf07c142b39d474a1439a046bf28def3d, kernel commit e1e2194cc725ec1d41f9412496212f0fa0519c36, kernel commit e4a3c4a4c8f6efd243c3e448c05b7bebcbf7b3b6, and kernel commit ff93f86ecbb50a4709c403fc279a396e308edde5. Rebuild or install distribution kernels that incorporate these commits.
Workarounds
- Disable or unload the batman-adv module on systems that do not require mesh networking.
- Avoid issuing tp_meter commands during or near interface teardown until the patched kernel is in place.
- Restrict CAP_NET_ADMIN privileges that allow configuring batman-adv interfaces to trusted administrative accounts.
# Configuration example
# Unload and blacklist batman-adv where mesh networking is not required
sudo modprobe -r batman_adv
echo "blacklist batman-adv" | sudo tee /etc/modprobe.d/blacklist-batman-adv.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
