Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46198

Description

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: fix integer overflow on buff_pos

Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer overflow in batman-adv's buff_pos handling can cause out-of-bound reads in the Linux kernel.

Vulnerability

In the Linux kernel's batman-adv module, an integer overflow vulnerability exists in batadv_iv_ogm_send_to_if. The buff_pos variable is declared as s16, but the size check in batadv_iv_ogm_aggr_packet uses the int type. This type mismatch can cause a 16-bit integer overflow, leading to an out-of-bound read. The issue affects all Linux kernel versions with batman-adv enabled prior to the fix.

Exploitation

An attacker with local access or the ability to influence batman-adjacent network traffic must trigger the OGM aggregation path. By crafting packets that cause buff_pos to increment beyond the 16-bit signed maximum (32767), the subsequent size check passes incorrectly while the actual buffer offset wraps around, resulting in reading memory outside the allocated buffer.

Impact

Successful exploitation results in an out-of-bound read, potentially leaking sensitive kernel memory content. The scope is limited to information disclosure, with no direct privilege escalation or remote code execution implied by the available references.

Mitigation

The fix was committed in the Linux kernel stable tree (commit bf872db54f91) on May 28, 2026 [1]. Users should update to a kernel containing this patch. No workarounds beyond disabling batman-adv (if unused) are documented. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.

References

Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

SUSE S.A./Linux Enterprise Debuginfoinferred
Linux/batman-advllm-fuzzy

Patches

974542d1efc4

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLyes BourennaniApr 21, 2026Fixed in 6.12.90via kernel-cna

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c31edbd7c2abab..98984296989e11 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

b252797bfced

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLyes BourennaniApr 21, 2026Fixed in 7.0.9via kernel-cna

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

0799e5943611

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLyes BourennaniApr 21, 2026Fixed in 7.1-rc4via kernel-cna

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

bf872db54f91

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLyes BourennaniApr 21, 2026Fixed in 6.18.32via kernel-cna

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

f61499359fa5

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitLyes BourennaniApr 21, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c31edbd7c2abab..98984296989e11 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

0799e5943611

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLyes BourennaniApr 21, 2026via nvd-ref

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

b252797bfced

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLyes BourennaniApr 21, 2026via nvd-ref

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

bf872db54f91

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLyes BourennaniApr 21, 2026via nvd-ref

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5f2..618d1889c04e75 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

f61499359fa5

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLyes BourennaniApr 21, 2026via nvd-ref

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c31edbd7c2abab..98984296989e11 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

974542d1efc4

batman-adv: fix integer overflow on buff_pos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitLyes BourennaniApr 21, 2026via nvd-ref

commit

1 file changed · +1 −2

net/batman-adv/bat_iv_ogm.c+1 −2 modified

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index c31edbd7c2abab..98984296989e11 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
 	struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
 	const char *fwd_str;
 	u8 packet_num;
-	s16 buff_pos;
+	int buff_pos;
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct sk_buff *skb;
 	u8 *packet_pos;
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Integer overflow in `buff_pos` due to type mismatch: `s16` variable wraps before the `int`-based size check catches it."

Attack vector

An attacker on the same batman-adv mesh network can craft a series of aggregated OGM packets that cause `buff_pos` to exceed the range of `s16` (32767). Because the size check in `batadv_iv_ogm_aggr_packet` operates on `int`, the overflow wraps `buff_pos` to a negative value, bypassing the bounds check and allowing an out-of-bounds read of kernel memory. [patch_id=2897835]

Affected code

The vulnerability is in `net/batman-adv/bat_iv_ogm.c` in the function `batadv_iv_ogm_send_to_if`. The `buff_pos` variable was declared as `s16` while the size check in `batadv_iv_ogm_aggr_packet` uses `int`, creating a type mismatch that can lead to integer overflow. [patch_id=2897835] [patch_id=2897826]

What the fix does

The patch changes the type of `buff_pos` from `s16` to `int` in `batadv_iv_ogm_send_to_if`. This eliminates the integer overflow because `int` has a much larger range than `s16`, ensuring that the accumulated position value cannot wrap around before the size check is applied. The fix is minimal and directly addresses the root cause. [patch_id=2897835]

Preconditions

networkThe attacker must be able to send batman-adv OGM packets on the same mesh network as the target.
configThe target must have the batman-adv kernel module loaded and be part of a mesh network.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000