{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31659", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:10.254Z", "dateUpdated": "2026-05-11T22:13:06.198Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:06.198Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/translation-table.c"], "versions": [{"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "7e5d007e0df946bffb8542fb112e0044014a5897", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "2997f4bd1f982e7013709946e00be89b507693fa", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "95c71365a2222908441b54d6f2c315e0c79fcec3", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "69d61639bc7e963c3b645e570279d731e7c89062", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "f970646b9a39539d1bac86822ac78b5915455ea9", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "de6c1dc3c7d01a152607e6fcecee4d5288283f10", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "cf2199171ef799ca7270019125f4a91bd20ad4d9", "status": "affected", "versionType": "git"}, {"version": "7ea7b4a142758deaf46c1af0ca9ceca6dd55138b", "lessThan": "3a359bf5c61d52e7f09754108309d637532164a6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/batman-adv/translation-table.c"], "versions": [{"version": "3.13", "status": "affected"}, {"version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897"}, {"url": "https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa"}, {"url": "https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3"}, {"url": "https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062"}, {"url": "https://git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9"}, {"url": "https://git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10"}, {"url": "https://git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9"}, {"url": "https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6"}], "title": "batman-adv: reject oversized global TT response buffers", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6549DFC-0811-4ACB-AAC7-1960F001987F", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.13:-:*:*:*:*:*:*", "matchCriteriaId": "0F72A71E-B6B2-40F2-A21D-BF7CE1514976", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: reject oversized global TT response buffers\n\nbatadv_tt_prepare_tvlv_global_data() builds the allocation length for a\nglobal TT response in 16-bit temporaries. When a remote originator\nadvertises a large enough global TT, the TT payload length plus the VLAN\nheader offset can exceed 65535 and wrap before kmalloc().\n\nThe full-table response path still uses the original TT payload length when\nit fills tt_change, so the wrapped allocation is too small and\nbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap object\nbefore the later packet-size check runs.\n\nFix this by rejecting TT responses whose TVLV value length cannot fit in\nthe 16-bit TVLV payload length field."}], "id": "CVE-2026-31659", "lastModified": "2026-04-27T20:17:17.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:45.457", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cf2199171ef799ca7270019125f4a91bd20ad4d9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de6c1dc3c7d01a152607e6fcecee4d5288283f10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f970646b9a39539d1bac86822ac78b5915455ea9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: batman-adv: reject oversized global TT response buffers", "id": "2461476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461476"}, "csaw": false, "cwe": "CWE-190", "details": ["A flaw was found in the batman-adv component of the Linux kernel. A remote attacker can exploit this vulnerability by sending a specially crafted oversized global Topology Table (TT) response. This causes an integer overflow during memory allocation, leading to a heap overflow and memory corruption. This memory corruption could potentially result in a denial of service or other unpredictable system behavior."], "name": "CVE-2026-31659", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31659\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31659\nhttps://lore.kernel.org/linux-cve-announce/2026042403-CVE-2026-31659-58eb@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,7e5d007e0df946bffb8542fb112e0044014a5897)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,2997f4bd1f982e7013709946e00be89b507693fa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,95c71365a2222908441b54d6f2c315e0c79fcec3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,69d61639bc7e963c3b645e570279d731e7c89062)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,f970646b9a39539d1bac86822ac78b5915455ea9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,de6c1dc3c7d01a152607e6fcecee4d5288283f10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,cf2199171ef799ca7270019125f4a91bd20ad4d9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[7ea7b4a142758deaf46c1af0ca9ceca6dd55138b,3a359bf5c61d52e7f09754108309d637532164a6)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:45:23.813598+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the batman\u2011adv patch that rejects oversized TT responses. ", "Disable the batman\u2011adv networking driver on systems where it is unnecessary to mitigate the vulnerability temporarily. ", "Implement network\u2011level controls to block malformed TT response packets, for example by dropping packets with excessively large TT payloads using a firewall rule or eBPF program."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in the batman\u2011adv networking driver that is compiled into the Linux kernel. All kernel releases that include the vulnerable driver before the patch, including kernels from the Linux 3.13 series through the 7.0 release candidates, are potentially affected. The impact applies to any platform running those kernels with batman\u2011adv enabled, regardless of vendor. Users of newer releases that already include the patch are not impacted.", "description_and_impact": "The batman-adv driver in the Linux kernel builds the allocation length for a global TT response in 16\u2011bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65\u2009535 and wrap before kmalloc() is called. The full\u2011table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet\u2011size check runs. This heap buffer overflow can corrupt arbitrary memory on the host, potentially allowing an attacker to execute malicious code or cause a denial of service. The vulnerability directly compromises the confidentiality, integrity, and availability of systems that run the affected kernel.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% shows that the likelihood of exploitation in the wild is currently low, though possible. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants attention. The flaw can be triggered by an attacker who can inject crafted TT response packets into the network path of a batman\u2011adv node, suggesting a remote network attack vector. Exploitation requires the ability to send malformed traffic to a kernel running the vulnerable driver, and the affected systems are likely to be exposed in distributed, software\u2011defined networks where batman\u2011adv is used."}}}}, "created": "2026-04-27T21:45:14.291413+00:00", "updated": "2026-04-28T14:00:16.477098+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}