SB20260625269 - NULL pointer dereference in Linux kernel batman-adv
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2026-52913)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the batman-adv OGMv2 handling code when processing OGM dispatch on an interface that has been disabled and lost its mesh interface association. A local user can trigger OGM processing on such an interface to cause a denial of service.
The issue occurs because an interface may be disabled after OGM processing begins, leaving its mesh interface pointer set to NULL while the code still attempts to use it.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/040fe8eb34624002071dd21de9824dfe668ce65d
- https://git.kernel.org/stable/c/1be1e99cbd5b74a69d3f92200ca87cf1bce852db
- https://git.kernel.org/stable/c/31dcb9711abd1dcd2080d9fac05c79dd9997d6bf
- https://git.kernel.org/stable/c/4ff461af943efb5e74d09942d5ffee7644d1e1fe
- https://git.kernel.org/stable/c/70c9f6ab0d8f785087fb74fb85464a9a5288bfdb
- https://git.kernel.org/stable/c/aad70db50ea3d7dfe30e402b889ff075a293b287
- https://git.kernel.org/stable/c/d7391a2b854a62235539c68e9cbf6fc7910a8e9a
- https://git.kernel.org/stable/c/f8ce8b8331a1bc44ad4905886a482214d428b253