CVE-2026-46208 Overview
CVE-2026-46208 is a Linux kernel vulnerability in the batman-adv (Better Approach To Mobile Ad-hoc Networking) module. The flaw affects the throughput meter (tp_meter) subsystem used to benchmark mesh link performance. TP meter sessions remain linked on bat_priv->tp_list after the netlink request completes. When the mesh interface is removed, batadv_mesh_free() tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then operate against a mesh instance that is already shutting down, leading to a use-after-free condition during teardown.
Critical Impact
Concurrent tp_meter activity during mesh interface removal can dereference freed mesh state, resulting in kernel memory corruption or denial of service.
Affected Products
- Linux kernel versions containing the batman-adv module with tp_meter netlink support
- Stable kernel branches receiving the backported fix referenced in commits 03660dab86f9, 26dfeee8db81, 3d3cf6a7314a, 79bc0eaeef2c, and 8634c1dbd73a
- Mesh networking deployments using B.A.T.M.A.N. Advanced for ad-hoc routing
Discovery Timeline
- 2026-05-28 - CVE-2026-46208 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46208
Vulnerability Analysis
The batman-adv module implements a throughput meter that measures end-to-end performance between mesh nodes. Users initiate sessions through netlink, which spawns a sender kernel thread and registers session state on the per-interface bat_priv->tp_list. The netlink call returns once the session is queued, but the worker thread continues to operate asynchronously and packets may arrive from peers at any time.
The vulnerability stems from missing lifecycle synchronization between the tp_meter subsystem and the mesh interface. When batadv_mesh_free() runs to dismantle the interface, it does not stop sessions still attached to tp_list or wait for sender threads to exit. The sender thread and the receive path can therefore continue executing against bat_priv memory while teardown progresses. This race produces a use-after-free [CWE-416] on the freed mesh private structure.
Root Cause
The root cause is incomplete teardown ordering. The session list outlives the netlink request that created it, and batadv_mesh_free() previously assumed no active references remained. Without explicit cancellation, the kernel relies on best-effort timing rather than enforced synchronization between session workers and interface shutdown.
Attack Vector
An attacker with the ability to initiate tp_meter sessions on a mesh interface, or to inject tp_meter packets on the mesh, can trigger the race by starting a session and then removing or replacing the mesh interface. The vulnerability requires local access to issue the netlink command or adjacent mesh access to send late packets. Successful exploitation can produce kernel crashes and, depending on heap state, may corrupt freed memory.
The fix stops all active sessions from batadv_mesh_free() and waits for sender threads to exit before teardown continues, restoring proper lifecycle synchronization. See the kernel commit log for the implementation.
Detection Methods for CVE-2026-46208
Indicators of Compromise
- Kernel oops or panic messages referencing batadv_tp_meter, batadv_tp_send, or batadv_mesh_free in dmesg or /var/log/kern.log
- KASAN use-after-free reports implicating bat_priv allocations during interface removal
- Unexpected reboots or NMI watchdog events on nodes running mesh interfaces with active throughput measurements
Detection Strategies
- Enable KASAN on test kernels to surface use-after-free conditions in batman-adv during interface lifecycle tests
- Audit running kernel versions against the fixed commits to identify hosts still exposed
- Monitor for processes invoking batctl tp or raw netlink calls to the batman-adv family in close proximity to interface teardown events
Monitoring Recommendations
- Collect kernel ring buffer logs centrally and alert on stack traces containing batadv_ symbols
- Track ip link and batctl activity on mesh nodes to correlate interface removal with prior tp_meter sessions
- Validate kernel package versions across fleets using configuration management to confirm patch rollout
How to Mitigate CVE-2026-46208
Immediate Actions Required
- Update Linux kernels to a stable release that includes the upstream fix from commits 03660dab86f9, 26dfeee8db81, 3d3cf6a7314a, 79bc0eaeef2c, or 8634c1dbd73a
- Inventory systems loading the batman_adv module and prioritize patching mesh gateway and edge devices
- Restrict access to netlink interfaces for the batman-adv family to trusted administrative users only
Patch Information
The fix synchronizes tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues. Patches are available in the mainline kernel and have been backported to stable trees. Refer to the kernel.org stable commit for the authoritative change.
Workarounds
- Unload the batman_adv module on systems that do not require mesh networking using modprobe -r batman_adv
- Avoid running batctl tp or other tp_meter netlink operations on interfaces scheduled for removal
- Blacklist the module on hosts where mesh functionality is not used to remove the attack surface entirely
# Configuration example
# Verify kernel version against patched release
uname -r
# Check whether batman-adv is loaded
lsmod | grep batman_adv
# Disable the module if mesh networking is not required
echo 'blacklist batman_adv' | sudo tee /etc/modprobe.d/disable-batman-adv.conf
sudo modprobe -r batman_adv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
