CVE-2026-46212
Description
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: prevent use-after-free when deleting claims
When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().
But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free flaw in batman-adv BLA code allows local privilege escalation by freeing a claim object before removing its hash list entry.
Vulnerability
In the Linux kernel's batman-adv module, a use-after-free vulnerability exists in the Bridge Loop Avoidance (BLA) implementation. When batadv_bla_del_backbone_claims() removes all claims for a backbone, it drops the link entry in the hash list. However, the batadv_claim_put() call, which decrements the reference count and may free the claim object via batadv_claim_release(), is executed before the hash list entry is fully removed. This leaves a window where the claim can be freed while still referenced in the list, leading to a use-after-free. The affected versions include all Linux kernel versions prior to the patch introduced by commit 00155f336a5e [1].
Exploitation
An attacker with local access to the system and the ability to trigger BLA operations, specifically to manipulate backbone and claim management, can exploit this race. The attacker must cause the deletion of claims while simultaneously accessing the claim through another path that uses the stale hash list entry. This requires precise timing to hit the race window between the batadv_claim_put() and the actual list entry removal. No authentication beyond local user access is required, but the attacker must be able to interact with the batman-adv interface.
Impact
Successful exploitation allows the attacker to achieve a use-after-free condition, potentially leading to privilege escalation. By freeing a kmalloc-allocated batadv_claim object while it is still accessible, an attacker may corrupt kernel memory and execute arbitrary code in kernel context. This results in full compromise of the system's confidentiality, integrity, and availability.
Mitigation
A fix was committed to the Linux kernel stable tree on 2026-05-28 via commit 00155f336a5e [1]. Users should update their kernel to a version containing this commit or later. For distributions that backport fixes, apply the relevant patch. No workaround is available without patching, as the vulnerability is in core BLA logic. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
100cc9847c64cbbatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 51fe028b90881e..8b77dd2ecfa419 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
4ae1709a3140batman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 51fe028b90881e..8b77dd2ecfa419 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
368449e467d5batman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 96b3c1c972cd27..c4f364831df8a6 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
6c5dc6d68e6bbatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 53721ce414dc31..5f106b7299fb77 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
00155f336a5ebatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d4f4e97a27f107..41313ea2193585 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -319,8 +319,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
0cc9847c64cbbatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 51fe028b90881e..8b77dd2ecfa419 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
4ae1709a3140batman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 51fe028b90881e..8b77dd2ecfa419 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
6c5dc6d68e6bbatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 53721ce414dc31..5f106b7299fb77 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
00155f336a5ebatman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d4f4e97a27f107..41313ea2193585 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -319,8 +319,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
368449e467d5batman-adv: bla: prevent use-after-free when deleting claims
1 file changed · +1 −2
net/batman-adv/bridge_loop_avoidance.c+1 −2 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 96b3c1c972cd27..c4f364831df8a6 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct batadv_bla_backbone_gw *backbone_gw) if (claim->backbone_gw != backbone_gw) continue; - batadv_claim_put(claim); hlist_del_rcu(&claim->hash_entry); + batadv_claim_put(claim); } spin_unlock_bh(list_lock); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Use-after-free due to calling batadv_claim_put() (which may trigger batadv_claim_release() and free the claim) before the last access to the claim object (hlist_del_rcu) in batadv_bla_del_backbone_claims()."
Attack vector
An attacker who can trigger the deletion of bridge loop avoidance (BLA) claims for a backbone gateway can cause a use-after-free. When batadv_bla_del_backbone_claims() iterates over the claim hash list, it previously called batadv_claim_put() before hlist_del_rcu(). If batadv_claim_put() drops the last reference, batadv_claim_release() frees the claim object, and the subsequent hlist_del_rcu() accesses freed memory [patch_id=2897718]. This requires the ability to manipulate BLA state, which is reachable from the batman-adv mesh network.
Affected code
The vulnerable function is batadv_bla_del_backbone_claims() in net/batman-adv/bridge_loop_avoidance.c. The bug is in the loop that iterates over the claim hash list, where batadv_claim_put() was called before hlist_del_rcu() [patch_id=2897718].
What the fix does
The patch swaps the order of operations in batadv_bla_del_backbone_claims(): hlist_del_rcu() is now called before batadv_claim_put() [patch_id=2897718]. This ensures that the claim object is still valid when its hash entry is removed from the list. The reference held by the list entry is dropped only after the list entry is no longer needed, preventing a premature free by batadv_claim_release().
Preconditions
- networkThe attacker must be able to trigger deletion of BLA claims for a backbone gateway on a batman-adv mesh network.
- configThe batman-adv bridge loop avoidance feature must be enabled on the system.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/00155f336a5e8b1006d2ca9ae7ad8fc4a44bb401nvd
- git.kernel.org/stable/c/0cc9847c64cb6e61118bc78c9187c8209a7197fanvd
- git.kernel.org/stable/c/368449e467d5f1e2c2e987bf2bd57000ba75e10bnvd
- git.kernel.org/stable/c/4ae1709a314060a196981b344610d023ea841e57nvd
- git.kernel.org/stable/c/6c5dc6d68e6ba7f0224a757a39ed52fcdb54d472nvd
News mentions
0No linked articles in our index yet.