CVE-2026-52916
Reported by Linux · Published June 24, 2026
In the Linux kernel, the following vulnerability has been resolved: batman-adv: frag: disallow unicast fragment in fragment batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process.
EPSS 0.18% · 7.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 610bfc6bc99bc83680d190ebc69359a05fc7f605, 610bfc6bc99bc83680d190ebc69359a05fc7f605, 610bfc6bc99bc83680d190ebc69359a05fc7f605 |
| Linux | Linux | 3.13, 0, 5.10.258 |
| Linux | Linux | 7.1, 0, 5.10.258 |
| linux | linux_kernel | 3.13, 3.13, 3.13 |
Timeline
- Jun 24, 2026 CVE Published
- Jun 25, 2026 Coalition ESS Score
- Jun 27, 2026 EPSS Score