CRITICAL🇵🇱 Wersja polska

CVE-2026-31657

CVSS 9.8v3.1pub. 2026-04-24upd. 2026-06-01

In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.

🤖 AI Analysis
How it works

The batadv_bla_add_claim() function can replace the claim->backbone_gw pointer and release the last reference to the old backbone gateway, while other threads still dereference this pointer. The netlink dump path and batadv_bla_check_claim() function access claim->backbone_gw->orig and claim->backbone_gw->crc_lock fields without prior pinning of the underlying gateway object. The fix involves reusing the batadv_bla_claim_get_backbone_gw() function in both read code paths, so they operate on a stable reference to the gateway for the entire duration of the read operation.

Impact

An attacker can trigger a NULL pointer dereference or pointer race condition leading to memory corruption, which in practice can result in denial of service (kernel panic) or — depending on conditions — privilege escalation or remote code execution (RCE).

Mitigation & patch

Patches available from the vendor should be applied according to the references — fixes have been published in the kernel.org (stable) repository under the indicated commits. It is recommended to update to the latest stable version of the kernel containing the mentioned patches.

Who is affected

Linux Kernel — versions indicated in the vendor's references (fix commits available in the kernel.org repository)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    3.57.06.7 – 6.12.82 (bez)3.5.1 – 6.1.169 (bez)6.19 – 6.19.13 (bez)6.13 – 6.18.23 (bez)6.2 – 6.6.135 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...