In the Linux kernel, the following vulnerability has been...
High severity
Unreviewed
Published
Jun 24, 2026
to the GitHub Advisory Database
•
Updated Jul 8, 2026
Description
Published by the National Vulnerability Database
Jun 24, 2026
Published to the GitHub Advisory Database
Jun 24, 2026
Last updated
Jul 8, 2026
In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix tp_meter counter underflow during shutdown
batadv_tp_sender_shutdown() unconditionally decrements the "sending"
atomic counter. If multiple paths (e.g. timeout, user cancel, and
normal finish) call this function, the counter can underflow to -1.
Since the sender logic treats any non-zero value as "still sending",
a negative value causes the sender kthread to loop indefinitely.
This leads to a use-after-free when the interface is removed while
the zombie thread is still active.
Fix this by using atomic_xchg() to ensure the counter only transitions
from 1 to 0 once.
[sven: added missing change in batadv_tp_send]
References