CVE-2026-31657
Published: 24 April 2026
Summary
CVE-2026-31657 is a critical-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively mitigates the CVE by requiring timely application of Linux kernel patches that fix the unstable backbone gateway reference in batman-adv BLA claim handling, preventing NULL pointer dereferences.
Vulnerability scanning identifies systems with vulnerable Linux kernel versions and batman-adv module, enabling prioritization and remediation of the concurrency-induced pointer instability.
Least functionality prohibits or restricts unnecessary kernel modules like batman-adv in non-mesh environments, eliminating exposure to this module-specific race condition vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote memory corruption (NULL deref/use-after-free) in network-facing batman-adv kernel module directly enables remote exploitation of services for RCE leading to kernel-level privilege escalation (T1068), exploitation of remote services (T1210), and endpoint DoS via system/application crash (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences…
more
claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.
Deeper analysisAI
CVE-2026-31657 is a vulnerability in the Linux kernel's batman-adv module, specifically in the Bridge Loop Avoidance (BLA) claim handling. The issue arises in batadv_bla_add_claim(), where replacing claim->backbone_gw can drop the old gateway's last reference while readers, such as the netlink claim dump path and batadv_bla_check_claim(), still dereference claim->backbone_gw->orig and take claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. This leads to a NULL pointer dereference (CWE-476) due to unstable pointer access during concurrent operations.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and no change in scope (CVSS:3.1 score of 9.8). Successful exploitation could result in high impacts on confidentiality, integrity, and availability, potentially enabling kernel crashes, data corruption, or arbitrary code execution through memory corruption in batman-adv mesh networking environments.
The provided kernel stable commit references detail the fix, which reuses batadv_bla_claim_get_backbone_gw() in reader paths like netlink dumps and claim checks to ensure a stable gateway reference is held until read-side operations complete. This aligns the affected paths with existing BLA claim reader lifetime rules. Security practitioners should apply these patches from the referenced commits to mitigate the issue in affected Linux kernels using batman-adv.
Details
- CWE(s)