CVE-2026-46238 Overview
CVE-2026-46238 is a Linux kernel vulnerability in the batman-adv mesh networking module. The flaw resides in the BAT IV routing protocol implementation, which cached an originator pointer derived from a temporary lookup inside the neigh_node structure. The cached pointer was not owned by the neigh_node and could reference a freed originator entry after purge handling executed. This creates a stale pointer condition affecting kernel memory safety in mesh networking deployments.
Critical Impact
A stale originator pointer in BAT IV neighbor state can be dereferenced after the underlying originator entry is purged, leading to potential use-after-free conditions in the Linux kernel networking stack.
Affected Products
- Linux kernel batman-adv module (BAT IV routing protocol)
- Linux distributions shipping affected kernel versions prior to the upstream fix
- Mesh networking deployments using B.A.T.M.A.N. Advanced
Discovery Timeline
- 2026-05-28 - CVE-2026-46238 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46238
Vulnerability Analysis
The batman-adv (Better Approach To Mobile Ad-hoc Networking, Advanced) kernel module implements layer-2 mesh routing for Linux. The BAT IV variant maintains routing state through neigh_node structures that track the last-hop neighbor address for each route. Beyond the neighbor address, some code paths additionally cached an auxiliary pointer to the originator entry obtained through a temporary lookup.
The neigh_node did not own a reference on this cached originator pointer. When the originator purge logic removed the corresponding entry, the cached pointer in the neighbor state became stale. Subsequent dereferences of this pointer access memory that may have been freed or reallocated, producing classic use-after-free behavior [CWE-416].
The upstream fix removes the auxiliary originator pointer from BAT IV neighbor state. When the originator data is required, the code now resolves it from the stored neighbor address and drops the reference immediately after use. A secondary change avoids invoking bonding logic for outgoing OGM (Originator Message) traffic.
Root Cause
The root cause is improper lifetime management of an unowned pointer. The BAT IV neighbor structure stored a raw pointer to an originator object without holding a reference count, while the originator's lifecycle was controlled independently by the purge subsystem.
Attack Vector
Exploitation requires the target to process batman-adv mesh traffic. An attacker with the ability to inject or influence OGM traffic on a mesh network could potentially trigger the conditions where originator entries are purged while neighbor state retains the stale pointer. Refer to the upstream commits for the precise code paths involved.
Detection Methods for CVE-2026-46238
Indicators of Compromise
- Kernel oops or panic messages referencing batman-adv functions in the call trace
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in batadv_iv_* routines
- Unexpected interface or mesh routing instability on hosts running batman-adv
Detection Strategies
- Audit running kernel versions against the patched commits referenced in the upstream stable tree
- Enable KASAN on test kernels to surface use-after-free conditions in batman-adv code paths
- Inventory hosts loading the batman_adv kernel module via lsmod or equivalent telemetry
Monitoring Recommendations
- Collect dmesg and /var/log/kern.log entries and alert on batman-adv kernel warnings
- Monitor for unexpected module loads of batman_adv on systems where mesh networking is not expected
- Track kernel package versions across the fleet to confirm patch deployment status
How to Mitigate CVE-2026-46238
Immediate Actions Required
- Identify systems with the batman_adv module loaded and prioritize them for patching
- Apply the upstream kernel patches referenced in the stable tree commits as soon as vendor builds are available
- On systems that do not require mesh networking, unload and blacklist the batman_adv module
Patch Information
The fix is published in the upstream Linux stable tree across the following commits: Kernel Git Commit 09dc0d1, Kernel Git Commit 67bceeb, Kernel Git Commit 6e20700, Kernel Git Commit aafcbaf, and Kernel Git Commit f03e858. Track your Linux distribution's security advisories for backported kernel package releases.
Workarounds
- Blacklist the batman_adv module on hosts that do not require mesh networking
- Restrict physical and logical access to mesh network segments to trusted devices only
- Where mesh routing is required, consider switching to BAT V until patched kernels are deployed
# Configuration example: blacklist batman-adv on systems that do not require it
echo 'blacklist batman_adv' | sudo tee /etc/modprobe.d/blacklist-batman-adv.conf
sudo modprobe -r batman_adv
lsmod | grep batman_adv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
