CVE-2026-52916 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8
https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d
https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf
https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc
https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a
https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3
https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9
https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d

History

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.
Title		batman-adv: frag: disallow unicast fragment in fragment
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8 https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3 https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9 https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:13.221Z

Updated: 2026-06-24T07:14:13.221Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52916

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object