CVE-2026-46231 Overview
CVE-2026-46231 is a memory leak vulnerability in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module. The flaw resides in the Bridge Loop Avoidance (BLA) subsystem, specifically in the batadv_bla_add_claim() function. When the function fails to insert a new claim into the claim hash table, it does not release the reference held on the associated backbone_gw object. Repeated failures can exhaust kernel memory tied to backbone gateway structures.
Critical Impact
Reference counting errors in kernel networking code can lead to resource exhaustion and degraded availability of mesh networking on affected Linux systems.
Affected Products
- Linux kernel (mainline) with batman-adv module enabled
- Linux stable kernel branches receiving the referenced backport commits
- Distributions shipping mesh networking via batman-adv
Discovery Timeline
- 2026-05-28 - CVE-2026-46231 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46231
Vulnerability Analysis
The batman-adv module implements a Layer 2 mesh routing protocol for the Linux kernel. Its Bridge Loop Avoidance feature prevents forwarding loops when multiple mesh nodes bridge into the same LAN. BLA tracks client MAC addresses through claim entries, each linked to a backbone_gw structure that represents the responsible gateway. These objects are reference counted to coordinate cleanup across asynchronous code paths.
The vulnerability stems from a missing reference release on the error path of batadv_bla_add_claim(). The function acquires a reference to the backbone_gw before inserting a new claim into the hash table. When the hash insertion fails, the function returns without calling batadv_backbone_gw_put(), leaving the reference count elevated. The targeted backbone gateway object never reaches zero references and is never freed.
Root Cause
The root cause is improper error-path cleanup in reference-counted kernel objects [CWE-401]. The patched code adds a call to batadv_backbone_gw_put() when the claim hash insert fails, balancing the earlier reference acquisition and allowing normal object teardown.
Attack Vector
Triggering the leak requires conditions that cause batadv_bla_add_claim() to fail at hash insertion. Such conditions are typically reached through traffic patterns on a mesh interface participating in BLA. The result is a kernel memory leak rather than direct code execution. The vulnerability is described as resolved in the upstream commits referenced by the kernel.org git tree and does not have a published proof-of-concept exploit.
For technical detail, review the upstream fix in the Kernel Git Commit and the additional stable backports listed in the references.
Detection Methods for CVE-2026-46231
Indicators of Compromise
- Growth in kernel slab allocations associated with batman-adv backbone gateway objects over time
- Increasing memory consumption on systems running batman-adv with BLA enabled, without a corresponding workload change
- Kernel log entries from the batman-adv subsystem referencing claim hash operations under sustained mesh activity
Detection Strategies
- Monitor /proc/slabinfo for unbounded growth in batman-adv related caches on mesh-enabled hosts
- Audit installed kernel versions and confirm whether the relevant stable backports listed in the kernel.org commits are applied
- Correlate node uptime with available memory trends to identify slow-leak patterns characteristic of reference count bugs
Monitoring Recommendations
- Track kernel version inventory across Linux fleets and flag hosts running batman-adv on unpatched kernels
- Alert on sustained reductions in MemAvailable on mesh gateway nodes with no clear workload driver
- Capture batctl diagnostics on hosts where BLA is active to baseline normal backbone gateway counts
How to Mitigate CVE-2026-46231
Immediate Actions Required
- Identify Linux hosts loading the batman-adv module, especially those configured with Bridge Loop Avoidance
- Apply the latest stable kernel update from your distribution that incorporates the upstream fix
- Reboot affected systems after kernel upgrade to clear any leaked backbone gateway references
Patch Information
The fix calls batadv_backbone_gw_put() on the failure path of batadv_bla_add_claim(). Stable kernel patches are available via the kernel.org git tree under commits 0baf4b659cdc, 65419eb4259a, 7cccf4eb4f96, ba9d20ee9076, and fd0ca034c1e7.
Workarounds
- Unload the batman-adv module on hosts that do not require mesh networking using modprobe -r batman_adv
- Disable Bridge Loop Avoidance on mesh interfaces where it is not strictly required via batctl configuration
- Blocklist module autoload on systems where mesh networking is not in scope
# Verify whether batman-adv is loaded and disable if not required
lsmod | grep batman_adv
sudo modprobe -r batman_adv
echo "blacklist batman-adv" | sudo tee /etc/modprobe.d/blacklist-batman-adv.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
