CVE-2026-31659
Description
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: reject oversized global TT response buffers
batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc().
The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs.
Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel's batman-adv, integer overflow in global TT response buffer allocation leads to heap out-of-bounds write, fixed by rejecting oversized responses.
CVE-2026-31659 describes a critical vulnerability in the Linux kernel's batman-adv module. The function batadv_tt_prepare_tvlv_global_data() allocates memory for a global translation table (TT) response using 16-bit temporary variables. When a remote originator advertises a sufficiently large global TT, the combined TT payload length and VLAN header offset can overflow 16 bits, wrapping to a small value before kmalloc(). This results in a heap buffer that is too small for the actual data, leading to a heap out-of-bounds write.
An attacker on the same batman-adv mesh network can exploit this by sending a crafted TT response with a large payload length. No authentication is required if the network accepts TT advertisements from any node. The overflow occurs before a later packet-size check, so the attacker can write controlled data past the end of the allocated heap object.
Successful exploitation allows arbitrary code execution in kernel context, potentially leading to full system compromise. The CVSS v3 score of 9.8 reflects the critical severity and remote attack vector.
The fix, introduced in the kernel stable tree, rejects TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field. Affected users should apply the stable kernel update containing commits [1], [2], [3], or [4] as appropriate for their kernel version. No workaround is available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.13.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:3.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fanvdPatch
- git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6nvdPatch
- git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062nvdPatch
- git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897nvdPatch
- git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3nvdPatch
- git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9nvdPatch
- git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10nvdPatch
- git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9nvdPatch
News mentions
0No linked articles in our index yet.