CVE-2026-46231
Description
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: bla: put backbone reference on failed claim hash insert
When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, batman-adv BLA leaks a backbone gateway reference when claim hash insert fails, leading to a memory leak.
Vulnerability
In the Linux kernel's batman-adv module, the batadv_bla_add_claim() function fails to release a reference to a backbone_gw object when inserting a new claim into the hash table fails. This affects the Bridge Loop Avoidance (BLA) feature. The vulnerability is present in kernel versions where the affected code exists; the fix has been applied in the stable kernel commit [1].
Exploitation
An attacker with the ability to trigger the claim insertion failure path in batadv_bla_add_claim() can cause the reference leak. This requires network access to a batman-adv mesh network and the ability to manipulate claim insertions such that the hash insertion fails (e.g., by causing memory allocation failures or hash collisions). No authentication is needed beyond existing mesh node participation.
Impact
On each failed insertion, a backbone_gw object reference is leaked, leading to a memory leak. Over repeated exploitation, this can exhaust kernel memory, potentially causing denial of service (DoS) on the affected node. No confidentiality or integrity impact is expected.
Mitigation
The fix is included in the Linux kernel stable commit 1. System administrators should apply the latest stable kernel updates that contain this commit. No workaround is available; the only mitigation is to patch the kernel.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
10ba9d20ee9076batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
7cccf4eb4f96batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
0baf4b659cdcbatman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index fd5ba288c7b121..2d7971424aa0eb 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -724,6 +724,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index fd5ba288c7b121..2d7971424aa0eb 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -724,6 +724,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
fd0ca034c1e7batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d67bcbddd63f54..3ccfa298fa8871 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d67bcbddd63f54..3ccfa298fa8871 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
65419eb4259abatman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 2da608d51d9187..30deb7d73b2be1 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 2da608d51d9187..30deb7d73b2be1 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
0baf4b659cdcbatman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index fd5ba288c7b121..2d7971424aa0eb 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -724,6 +724,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index fd5ba288c7b121..2d7971424aa0eb 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -724,6 +724,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
fd0ca034c1e7batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d67bcbddd63f54..3ccfa298fa8871 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index d67bcbddd63f54..3ccfa298fa8871 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
65419eb4259abatman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 2da608d51d9187..30deb7d73b2be1 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 2da608d51d9187..30deb7d73b2be1 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
7cccf4eb4f96batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
ba9d20ee9076batman-adv: bla: put backbone reference on failed claim hash insert
2 files changed · +2 −2
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
net/batman-adv/bridge_loop_avoidance.c+1 −1 modifieddiff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c index 879ab043d57a9f..cec11f1251d66a 100644 --- a/net/batman-adv/bridge_loop_avoidance.c +++ b/net/batman-adv/bridge_loop_avoidance.c @@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv, if (unlikely(hash_added != 0)) { /* only local changes happened. */ + batadv_backbone_gw_put(backbone_gw); kfree(claim); return; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing reference decrement on error path in batadv_bla_add_claim() leaks a backbone_gw reference when hash insert fails."
Attack vector
An attacker on the same batman-adv mesh network can trigger a claim hash insert failure, causing the `batadv_bla_add_claim()` function to take the error path where `hash_added != 0`. On this path, the function previously freed the `claim` object but leaked a reference to the `backbone_gw` object [patch_id=2897567]. Repeatedly triggering this condition exhausts the reference count of the backbone gateway object, leading to a use-after-free or memory leak.
Affected code
The vulnerability is in the `batadv_bla_add_claim()` function in `net/batman-adv/bridge_loop_avoidance.c` [patch_id=2897567]. When a claim hash insert fails (`hash_added != 0`), the function frees the `claim` object but previously did not release the reference to `backbone_gw` that was acquired earlier in the function.
What the fix does
The patch adds a single call to `batadv_backbone_gw_put(backbone_gw)` on the error path before `kfree(claim)` and `return` [patch_id=2897567]. This ensures that the reference to the backbone gateway object acquired earlier in the function is properly released when the claim cannot be inserted into the hash, preventing the reference leak that could lead to object lifetime issues.
Preconditions
- networkThe attacker must be able to send batman-adv mesh traffic that triggers claim processing on the target node
- configThe target node must have bridge loop avoidance (BLA) enabled
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0nvd
- git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256nvd
- git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542envd
- git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356cnvd
- git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bdnvd
News mentions
0No linked articles in our index yet.