{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-52916","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-06-09T07:44:35.367Z","datePublished":"2026-06-24T07:14:13.221Z","dateUpdated":"2026-06-24T07:14:13.221Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-24T07:14:13.221Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: frag: disallow unicast fragment in fragment\n\nbatadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a\nBATADV_UNICAST_FRAG packet is received. Once all fragments are collected\nand the packet is reassembled, batadv_recv_frag_packet() calls\nbatadv_batman_skb_recv() again to process the defragmented payload.\n\nA malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled\npayload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).\nEach nesting level recurses through batadv_batman_skb_recv() without bound,\ngrowing the kernel stack until it is exhausted.\n\nSince refragmentation or fragments in fragments are not actually allowed,\ndiscard all packets which are still BATADV_UNICAST_FRAG packets after the\ndefragmentation process."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/batman-adv/fragmentation.c"],"versions":[{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"0c208fa3859e3a33a1c38bebc41d021166e94ac8","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"bcda4814dc6524283c0b958882cb963d75fe411d","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"aea54d0bbe156d5ab7d00d68f66149ff41f4612a","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"b54e459cf86943583c1aa2ee3081874e7ab1f5f3","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"5418be6c2e117bf8a316582795a8e3ff90f45e5d","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"5895ad21c7059a652da83fb817510f7a1e962abf","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"7138c35c9ad39a2fca6264af6b87466471f04ffc","status":"affected","versionType":"git"},{"version":"610bfc6bc99bc83680d190ebc69359a05fc7f605","lessThan":"bc62216dc8e221e3781afa14430f45208bfa9af9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/batman-adv/fragmentation.c"],"versions":[{"version":"3.13","status":"affected"},{"version":"0","lessThan":"3.13","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.142","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.92","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.34","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.11","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.6.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.12.92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.18.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"7.0.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0c208fa3859e3a33a1c38bebc41d021166e94ac8"},{"url":"https://git.kernel.org/stable/c/bcda4814dc6524283c0b958882cb963d75fe411d"},{"url":"https://git.kernel.org/stable/c/aea54d0bbe156d5ab7d00d68f66149ff41f4612a"},{"url":"https://git.kernel.org/stable/c/b54e459cf86943583c1aa2ee3081874e7ab1f5f3"},{"url":"https://git.kernel.org/stable/c/5418be6c2e117bf8a316582795a8e3ff90f45e5d"},{"url":"https://git.kernel.org/stable/c/5895ad21c7059a652da83fb817510f7a1e962abf"},{"url":"https://git.kernel.org/stable/c/7138c35c9ad39a2fca6264af6b87466471f04ffc"},{"url":"https://git.kernel.org/stable/c/bc62216dc8e221e3781afa14430f45208bfa9af9"}],"title":"batman-adv: frag: disallow unicast fragment in fragment","x_generator":{"engine":"bippy-1.2.0"}}}}