CVE-2025-39839

Vulnerability

In the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) module, the function batadv_nc_skb_decode_packet() in the network-coding component fails to properly validate the coded_len field against the actual payload size of both the destination and source socket buffers. The function only checks coded_len against skb->len, but the XOR operation starts at an offset of sizeof(struct batadv_unicast_packet), reducing the available headroom. This oversight allows an out-of-bounds read and a small out-of-bounds write when processing crafted network-coding packets [1].

Exploitation

An attacker with the ability to inject specially crafted network packets onto a mesh network using batman-adv can trigger this vulnerability. No authentication is required beyond network access to the mesh. The attack surface is local to the mesh network, but the vulnerability can be exploited remotely if the attacker can send packets to a vulnerable node. The lack of proper length validation on the source skb means the attacker can cause the kernel to read or write beyond allocated memory boundaries.

Impact

Successful exploitation could lead to a denial of service (system crash) or potentially arbitrary code execution in kernel context, depending on the memory layout. The out-of-bounds write is limited in size, but combined with the read, it may be sufficient to corrupt kernel data structures. The CVSS v3.1 base score is 7.1 (High), reflecting the potential for high impact on confidentiality, integrity, and availability.

Mitigation

The fix has been applied in the Linux kernel stable branches, as seen in commits [3] and [4]. Users should update their kernel to a version containing the patch. Siemens has also listed this CVE in their advisory SSA-032379 for affected products like SIMATIC CN 4100 [1]. No workaround is available; updating is the recommended mitigation.