CVE-2026-46233 Overview
CVE-2026-46233 is a NULL pointer dereference vulnerability in the Linux kernel's batman-adv (Better Approach To Mobile Ad-hoc Networking) module. The flaw resides in the Bridge Loop Avoidance (BLA) subsystem, specifically inside batadv_bla_purge_claims(). The function traverses the claims hash list under an rcu_read_lock() only, which races against batadv_claim_release(). When a claim is concurrently released, its backbone_gw field is set to NULL before the delayed RCU free runs. A subsequent call to batadv_bla_claim_get_backbone_gw() then dereferences NULL, crashing the kernel.
Critical Impact
A race condition between claim purging and claim release in the batman-adv mesh networking module can trigger a kernel NULL pointer dereference, resulting in a denial-of-service condition on affected Linux systems.
Affected Products
- Linux kernel versions containing the batman-adv module prior to the upstream fix
- Linux distributions shipping vulnerable stable kernel branches
- Systems using batman-adv mesh networking with Bridge Loop Avoidance enabled
Discovery Timeline
- 2026-05-28 - CVE-2026-46233 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46233
Vulnerability Analysis
The batman-adv kernel module implements Layer 2 mesh networking and uses Bridge Loop Avoidance to prevent forwarding loops between mesh gateways. Each claim entry tracks a client MAC address bound to a backbone gateway. The purge routine batadv_bla_purge_claims() walks the claim hash to remove expired entries.
The function uses only rcu_read_lock() for traversal. This protects against the underlying memory being freed mid-iteration but does not guarantee that the claim object is still logically alive. A parallel batadv_claim_put() invocation can drop the final reference and schedule batadv_claim_release(), which clears claim->backbone_gw before the delayed RCU kfree.
If the purge code calls batadv_bla_claim_get_backbone_gw() on such an in-flight released claim, it dereferences a NULL backbone_gw pointer. The result is a kernel oops and likely a panic on systems configured to panic on oops.
Root Cause
The root cause is a race condition (TOCTOU-class) between reference-counted object teardown and RCU-protected traversal. RCU guarantees the memory remains valid until the grace period ends, but the object's internal state was already nullified during release. The fix is to purge only claims whose reference counter can still be successfully incremented, skipping claims already in the release path since they are guaranteed to be cleaned up.
Attack Vector
Exploitation requires conditions on the local system that cause concurrent claim insertion, lookup, and release operations within the batman-adv module. An attacker on the mesh network, or a local user able to influence mesh traffic patterns, may be able to induce the race and trigger the NULL pointer dereference. The realistic impact is denial of service through a kernel crash. The vulnerability is described as a logic flaw in concurrent list management. See the upstream commits referenced below for the precise patch logic.
Detection Methods for CVE-2026-46233
Indicators of Compromise
- Kernel oops or panic messages referencing batadv_bla_purge_claims or batadv_bla_claim_get_backbone_gw in dmesg or /var/log/kern.log
- NULL pointer dereference stack traces involving the batman_adv module
- Unexpected reboots or watchdog timeouts on nodes running batman-adv mesh networking
Detection Strategies
- Monitor kernel ring buffer output for crash signatures involving batman_adv symbols and BUG/Oops markers
- Inventory all hosts loading the batman_adv kernel module via lsmod and correlate against the patched kernel version list
- Track running kernel versions across the fleet and flag systems on stable branches that have not yet picked up the referenced fix commits
Monitoring Recommendations
- Forward kern.log and journalctl -k output to a centralized log platform and alert on Oops, BUG:, or NULL pointer dereference strings paired with batadv_ symbols
- Enable kdump on hosts using batman-adv so crash dumps can be analyzed post-incident
- Audit mesh-networking endpoints, including IoT gateways and embedded devices, where batman-adv is commonly deployed
How to Mitigate CVE-2026-46233
Immediate Actions Required
- Update affected Linux kernels to a version that includes the upstream batman-adv fix commits
- Identify all hosts loading batman_adv and prioritize patching mesh gateways and bridge nodes first
- If patching is delayed, restrict access to the mesh network and reduce churn that triggers claim insertion and release
Patch Information
The issue is resolved by upstream Linux kernel commits that change batadv_bla_purge_claims() to only operate on claims with a valid (incrementable) reference counter, skipping claims already being released. Relevant fix commits include Linux Kernel Commit 7b7ebb7222, Linux Kernel Commit 7b8fbcee31, Linux Kernel Commit ab3dbd07a8, Linux Kernel Commit b65365d2b1, and Linux Kernel Commit cf6b604011. Apply the patched kernel from your distribution as soon as it is available.
Workarounds
- Unload the batman_adv module on systems that do not require mesh networking using modprobe -r batman_adv
- Blacklist the module via /etc/modprobe.d/ to prevent automatic loading where mesh functionality is not needed
- Disable Bridge Loop Avoidance on batman-adv interfaces if operationally acceptable until the kernel patch is deployed
# Verify whether batman_adv is loaded and check for crash traces
lsmod | grep batman_adv
dmesg | grep -iE 'batadv|null pointer'
# Blacklist the module on systems that do not need mesh networking
echo 'blacklist batman_adv' | sudo tee /etc/modprobe.d/disable-batman-adv.conf
sudo modprobe -r batman_adv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
