CVE-2026-31659
Published: 24 April 2026
Summary
CVE-2026-31659 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of incoming global TT response TVLV lengths to prevent integer wraparound and undersized heap allocations leading to buffer overflow.
Mandates timely remediation of the specific heap buffer overflow flaw in batman-adv via application of stable kernel patches.
Implements kernel memory protections that restrict unauthorized code execution and limit damage from heap overflows even if allocation undersizing occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated heap buffer overflow in Linux kernel networking module (batman-adv) directly enables T1190 (public-facing network protocol exploit) and T1210 (remote service exploitation) with resulting kernel RCE facilitating T1068 (privilege escalation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT,…
more
the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs. Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.
Deeper analysisAI
CVE-2026-31659 is a heap buffer overflow vulnerability in the batman-adv (B.A.T.M.A.N. advanced) mesh networking module of the Linux kernel. The issue arises in the batadv_tt_prepare_tvlv_global_data() function, which uses 16-bit temporaries to compute the allocation length for global Translation Table (TT) response buffers. When a remote originator advertises a sufficiently large global TT, the TT payload length plus VLAN header offset exceeds 65535, causing an integer wraparound before kmalloc(). This results in an undersized heap allocation, allowing subsequent writes to overflow the buffer before a later packet-size check.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting and sending a malicious global TT response that triggers the allocation wraparound, an attacker can write past the end of the heap object, potentially leading to arbitrary code execution, denial of service, or other severe impacts with high confidentiality, integrity, and availability consequences.
Mitigation involves applying kernel patches that reject TT responses whose TVLV value length cannot fit within the 16-bit TVLV payload length field, preventing the oversized buffer preparation. Relevant stable kernel commits are available at https://git.kernel.org/stable/c/2997f4bd1f982e7013709946e00be89b507693fa, https://git.kernel.org/stable/c/3a359bf5c61d52e7f09754108309d637532164a6, https://git.kernel.org/stable/c/69d61639bc7e963c3b645e570279d731e7c89062, https://git.kernel.org/stable/c/7e5d007e0df946bffb8542fb112e0044014a5897, and https://git.kernel.org/stable/c/95c71365a2222908441b54d6f2c315e0c79fcec3.
Details
- CWE(s)