CVE-2026-52916

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: frag: disallow unicast fragment in fragment

batadv frag skb buffer() is called by batadv batman skb recv() when a BATADV UNICAST FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv recv frag packet() calls batadv batman skb recv() again to process the defragmented payload.

A malicious sender can craft a BATADV UNICAST FRAG packet whose reassembled payload is itself a BATADV UNICAST FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv batman skb recv() without bound, growing the kernel stack until it is exhausted.

Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV UNICAST FRAG packets after the defragmentation process.