Use-after-free in Linux kernel - CVE-2026-52919
Published: June 26, 2026
Vulnerability identifier: #VU135659
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-52919
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service and trigger a use-after-free.
The vulnerability exists due to a use-after-free in batadv_tp_sender_shutdown() and batadv_tp_send() in the batman-adv tp_meter component when shutting down the throughput meter sender through multiple paths. A local user can trigger timeout, cancellation, or normal completion paths to cause a denial of service and trigger a use-after-free.
The issue occurs because the sending counter can underflow to a negative value, causing the sender kernel thread to continue running after interface removal.
How to mitigate CVE-2026-52919
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00
- https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b
- https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602
- https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64
- https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d
- https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba
- https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c
- https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b