{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31657", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:08.867Z", "dateUpdated": "2026-05-11T22:13:03.739Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:03.739Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim->backbone_gw and drop the old\ngateway's last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim->backbone_gw->orig and\ntakes claim->backbone_gw->crc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/bridge_loop_avoidance.c"], "versions": [{"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "f4858832ddef2f39f21e30b7226bbcd3c4b2bc96", "status": "affected", "versionType": "git"}, {"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "2f55b58b5a0bbed192d60c444a45a49cdf1b545f", "status": "affected", "versionType": "git"}, {"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "7962b522222628596ca9ecc8722efc95367aadbd", "status": "affected", "versionType": "git"}, {"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "4dee4c0688443aaf5bbec74aa203c851d1d53c35", "status": "affected", "versionType": "git"}, {"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "1f2dc36c297d27733f1b380ea644cf15a361bd7b", "status": "affected", "versionType": "git"}, {"version": "23721387c409087fd3b97e274f34d3ddc0970b74", "lessThan": "82d8701b2c930d0e96b0dbc9115a218d791cb0d2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/bridge_loop_avoidance.c"], "versions": [{"version": "3.5", "status": "affected"}, {"version": "0", "lessThan": "3.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96"}, {"url": "https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f"}, {"url": "https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd"}, {"url": "https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35"}, {"url": "https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b"}, {"url": "https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2"}], "title": "batman-adv: hold claim backbone gateways by reference", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "17B3C5B3-0F63-4D6D-A3AA-C6184C350124", "versionEndExcluding": "6.1.169", "versionStartIncluding": "3.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.5:-:*:*:*:*:*:*", "matchCriteriaId": "71555F5B-DEB2-417A-8E33-90276DD2EFB8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: hold claim backbone gateways by reference\n\nbatadv_bla_add_claim() can replace claim->backbone_gw and drop the old\ngateway's last reference while readers still follow the pointer.\n\nThe netlink claim dump path dereferences claim->backbone_gw->orig and\ntakes claim->backbone_gw->crc_lock without pinning the underlying\nbackbone gateway. batadv_bla_check_claim() still has the same naked\npointer access pattern.\n\nReuse batadv_bla_claim_get_backbone_gw() in both readers so they operate\non a stable gateway reference until the read-side work is complete.\nThis keeps the dump and claim-check paths aligned with the lifetime\nrules introduced for the other BLA claim readers."}], "id": "CVE-2026-31657", "lastModified": "2026-04-27T20:16:58.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:45.227", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f2dc36c297d27733f1b380ea644cf15a361bd7b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2f55b58b5a0bbed192d60c444a45a49cdf1b545f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4dee4c0688443aaf5bbec74aa203c851d1d53c35"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7962b522222628596ca9ecc8722efc95367aadbd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82d8701b2c930d0e96b0dbc9115a218d791cb0d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4858832ddef2f39f21e30b7226bbcd3c4b2bc96"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: batman-adv: hold claim backbone gateways by reference", "id": "2461519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461519"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's batman-adv component. The batadv_bla_add_claim() function can improperly drop a reference to a backbone gateway while other parts of the code, such as the netlink claim dump path, still hold and attempt to use a pointer to the freed memory. This creates a use-after-free vulnerability, which could allow a local attacker to cause system instability or a denial of service (DoS)."], "name": "CVE-2026-31657", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31657\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31657\nhttps://lore.kernel.org/linux-cve-announce/2026042402-CVE-2026-31657-fbab@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,f4858832ddef2f39f21e30b7226bbcd3c4b2bc96)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,2f55b58b5a0bbed192d60c444a45a49cdf1b545f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,7962b522222628596ca9ecc8722efc95367aadbd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,4dee4c0688443aaf5bbec74aa203c851d1d53c35)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,1f2dc36c297d27733f1b380ea644cf15a361bd7b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[23721387c409087fd3b97e274f34d3ddc0970b74,82d8701b2c930d0e96b0dbc9115a218d791cb0d2)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:46:08.008561+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel version that includes the batadv reference counting fix (e.g., 7.1 or later).", "If an update is not immediately available, disable batman-adv networking or bring associated interfaces down to prevent the vulnerable code from executing.", "Apply the latest kernel patch from the Git kernel repository that addresses batadv_bla_add_claim() and related netlink handling."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected kernels include Linux kernel 3.5 and all 7.0 release candidates from RC1 through RC7. Any system running these kernel versions with the batman-adv driver enabled is susceptible.", "description_and_impact": "The vulnerability exists in the batman-adv module of the Linux kernel. The function batadv_bla_add_claim() can replace the claim-backbone_gw pointer and drop the reference to the previous gateway while another reader still holds the pointer. This results in a dangling or uninitialized reference that can be dereferenced by netlink claim dump or claim check paths. The exposed dereference can corrupt the kernel\u2019s address space, yielding arbitrary code execution or a system crash. The weakness is identified as CWE-476 (Dereferenced Uninitialized Pointer).", "risk_and_exploitability": "The CVSS score of 9.8 highlights criticality, while the EPSS score of less than 1% indicates that, as of the latest data, active exploitation is uncommon but still possible. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation likely requires local privileges or a network packet that triggers the batman-adv netlink handler, as the flaw stems from a pointer misuse rather than a public-facing interface that can be called from unprivileged users. Administrators should treat this as a high-risk zero-day."}}}}, "created": "2026-04-27T18:45:11.314625+00:00", "updated": "2026-04-28T14:00:16.479487+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}