{"id":"CVE-2026-52919","summary":"batman-adv: fix tp_meter counter underflow during shutdown","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix tp_meter counter underflow during shutdown\n\nbatadv_tp_sender_shutdown() unconditionally decrements the \"sending\"\natomic counter. If multiple paths (e.g. timeout, user cancel, and\nnormal finish) call this function, the counter can underflow to -1.\n\nSince the sender logic treats any non-zero value as \"still sending\",\na negative value causes the sender kthread to loop indefinitely.\nThis leads to a use-after-free when the interface is removed while\nthe zombie thread is still active.\n\nFix this by using atomic_xchg() to ensure the counter only transitions\nfrom 1 to 0 once.\n\n[sven: added missing change in batadv_tp_send]","modified":"2026-07-10T03:54:25.563518587Z","published":"2026-06-24T07:14:15.201Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52919.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52919.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52919"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e"},{"fixed":"e75e2ab463b5b34df6b98f94d740aff327ce9f6b"},{"fixed":"abae88fa254f2981d39ac003a7b302528a22af64"},{"fixed":"c66d20a3ff095e3f000551d208ec2606616db15c"},{"fixed":"c1bac194733aabd731aafa6a01350c229e187dba"},{"fixed":"01cefc5923889e29dbb5f281c3d457714ceb9c00"},{"fixed":"90ae3eae06b7b8ab9f6250b9497c860915b4c17b"},{"fixed":"aeae11c5dad9cd0d50723890bdd866f8e6db2e7d"},{"fixed":"94f3b133168d1c49895e7cc6afbcf1cc0b354602"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52919.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.142"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.92"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.34"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52919.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}