HIGH
batman-adv OGM Overflow
CVE-2026-31683
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a new forward packet instead of appending.
02KernelScan AI Analysis
Risk summary
Adjacent attackers can trigger a heap buffer overflow in the batman-adv mesh networking protocol by sending crafted OGM packets to a forwarding node that has an undersized aggregation buffer. This leads to controlled kernel heap memory corruption, potentially enabling code execution, privilege escalation, or system crashes on devices running batman-adv.
Vulnerability analysis
The vulnerability exists in batman-adv's OGM (Originator Message) aggregation logic. When OGM aggregation state is toggled at runtime, an existing forwarded packet may be allocated with only packet_len bytes of tailroom. If a subsequent OGM packet is selected for aggregation into this undersized skb, the append operation writes beyond the buffer boundary, causing a heap buffer overflow. The fix adds a tailroom check (skb_tailroom(forw_packet->skb) < packet_len) to reject aggregation when insufficient space exists, forcing the caller to allocate a new forward packet instead. Because batman-adv processes layer-2 mesh frames from adjacent nodes, the bug is reachable from the local network segment without requiring privileges on the target system.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 67176c96f325 |
| 5.15 | 5.15.203 | 0b10a8b355c3 |
| 6.1 | 6.1.167 | 6755347c5f9b |
| 6.12 | 6.12.78 | 6e40ebb999c2 |
| 6.18 | 6.18.20 | 0e35db29fc5a |
| 6.19 | 6.19.10 | eda89a1bae06 |
| 6.6 | 6.6.130 | 1ada20331f2d |
| mainline | 7.0 | 0d4aef630be9 |