{"id":"CVE-2026-52931","summary":"batman-adv: tp_meter: avoid use of uninit sender vars","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tp_meter: avoid use of uninit sender vars\n\nbatadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the\nBATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it\nproceeds to read sender-only members that were never initialized, leading\nto undefined behavior.\n\nThis can be triggered when a node that is currently acting as a receiver in\nan ongoing tp_meter session receives a malicious ACK packet.\n\nGuard against this by checking tp_vars-\u003erole immediately after the\nlookup and bailing out if it is not BATADV_TP_SENDER, before any of\nthose members are accessed.","modified":"2026-07-15T01:49:06.163263632Z","published":"2026-06-24T07:14:23.349Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52931.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e388af04b3958b178a1b979527f93eb46ea1fee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a21c055f66e78973712a4a1be2a554f1ee2e4f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/53f931e0146ae5bdab4cba302646827d06b3794b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6c65cf23d4c6170fcf5714c32aa64689718cb142"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85397e48afe6be83ffca5ad3f4792296bfc81d3d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9884c9c02d3c90e9215db3c5128f59045d20ae91"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc2ae5fbd2dadc26735092f140b246841d969a11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ecdaa3e4d91040206afe21bc8a0d1198a0971ff3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52931.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52931"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"33a3bb4a3345bb511f9c69c913da95d4693e2a4e"},{"fixed":"0e388af04b3958b178a1b979527f93eb46ea1fee"},{"fixed":"1a21c055f66e78973712a4a1be2a554f1ee2e4f4"},{"fixed":"9884c9c02d3c90e9215db3c5128f59045d20ae91"},{"fixed":"53f931e0146ae5bdab4cba302646827d06b3794b"},{"fixed":"ecdaa3e4d91040206afe21bc8a0d1198a0971ff3"},{"fixed":"dc2ae5fbd2dadc26735092f140b246841d969a11"},{"fixed":"85397e48afe6be83ffca5ad3f4792296bfc81d3d"},{"fixed":"6c65cf23d4c6170fcf5714c32aa64689718cb142"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52931.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.142"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.92"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.34"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52931.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}