NULL pointer dereference in Linux kernel - CVE-2026-52913
Published: June 25, 2026
Vulnerability identifier: #VU135457
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-52913
CWE-ID: CWE-476
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the batman-adv OGMv2 handling code when processing OGM dispatch on an interface that has been disabled and lost its mesh interface association. A local user can trigger OGM processing on such an interface to cause a denial of service.
The issue occurs because an interface may be disabled after OGM processing begins, leaving its mesh interface pointer set to NULL while the code still attempts to use it.
How to mitigate CVE-2026-52913
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/040fe8eb34624002071dd21de9824dfe668ce65d
- https://git.kernel.org/stable/c/1be1e99cbd5b74a69d3f92200ca87cf1bce852db
- https://git.kernel.org/stable/c/31dcb9711abd1dcd2080d9fac05c79dd9997d6bf
- https://git.kernel.org/stable/c/4ff461af943efb5e74d09942d5ffee7644d1e1fe
- https://git.kernel.org/stable/c/70c9f6ab0d8f785087fb74fb85464a9a5288bfdb
- https://git.kernel.org/stable/c/aad70db50ea3d7dfe30e402b889ff075a293b287
- https://git.kernel.org/stable/c/d7391a2b854a62235539c68e9cbf6fc7910a8e9a
- https://git.kernel.org/stable/c/f8ce8b8331a1bc44ad4905886a482214d428b253