{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-52914", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.367Z", "datePublished": "2026-06-24T07:14:11.906Z", "dateUpdated": "2026-06-24T07:14:11.906Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-24T07:14:11.906Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix fragment reassembly length accounting\n\nbatman-adv keeps a running payload length for queued fragments and uses it\nto validate a fragment chain before reassembly.\n\nThat accounting currently allows the accumulated fragment length to be\ntruncated during updates. As a result, malformed fragment chains can\nbypass the intended validation and drive reassembly with inconsistent\nlength state, leading to a local denial of service.\n\nFix the accounting by storing the accumulated length in a length-typed\nfield and rejecting update overflows before the existing validation logic\nruns.\n\nThe fix was verified against the original reproducer and against valid\nfragment reassembly paths."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/fragmentation.c", "net/batman-adv/types.h"], "versions": [{"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "e4f3f6b818aa6a678bc54a2d4e0bece2303c6a64", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "37be61825b15534a16ff9cfc9546de155b6df982", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "975563c5de1123dde1ec7946bf5556d20c89d74e", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "f653b040dad1af70fa5cd4fe085e4758925480c9", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "e910dbf509125fe51ad68e4fa74dc8ab0a8e787a", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "3eb8bcb823391bd58997831b3c9c152a4ba8e255", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "fdb2c96efb2baeb3725e9ce3ede8f1e36f5490f0", "status": "affected", "versionType": "git"}, {"version": "610bfc6bc99bc83680d190ebc69359a05fc7f605", "lessThan": "9cd3f16c320bfdadd4509358122368deb56a5741", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/fragmentation.c", "net/batman-adv/types.h"], "versions": [{"version": "3.13", "status": "affected"}, {"version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.258", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.209", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.175", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.142", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.92", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.34", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.11", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.10.258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.15.209"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.1.175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.6.142"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.12.92"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.18.34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.0.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e4f3f6b818aa6a678bc54a2d4e0bece2303c6a64"}, {"url": "https://git.kernel.org/stable/c/37be61825b15534a16ff9cfc9546de155b6df982"}, {"url": "https://git.kernel.org/stable/c/975563c5de1123dde1ec7946bf5556d20c89d74e"}, {"url": "https://git.kernel.org/stable/c/f653b040dad1af70fa5cd4fe085e4758925480c9"}, {"url": "https://git.kernel.org/stable/c/e910dbf509125fe51ad68e4fa74dc8ab0a8e787a"}, {"url": "https://git.kernel.org/stable/c/3eb8bcb823391bd58997831b3c9c152a4ba8e255"}, {"url": "https://git.kernel.org/stable/c/fdb2c96efb2baeb3725e9ce3ede8f1e36f5490f0"}, {"url": "https://git.kernel.org/stable/c/9cd3f16c320bfdadd4509358122368deb56a5741"}], "title": "batman-adv: fix fragment reassembly length accounting", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: batman-adv: fix fragment reassembly length accounting", "id": "2492100", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492100"}, "csaw": false, "cwe": "CWE-130", "details": ["A flaw was found in the Linux kernel's batman-adv component. This vulnerability allows a local attacker to cause a denial of service (DoS) by sending malformed fragment chains. The flaw is due to incorrect accounting of fragment reassembly length, which can be truncated during updates, bypassing validation and leading to inconsistent length states during reassembly."], "name": "CVE-2026-52914", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-52914\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-52914\nhttps://lore.kernel.org/linux-cve-announce/2026062428-CVE-2026-52914-f89a@gregkh/T"]}