CVE-2026-31659

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the batman-adv module where the batadv tt prepare tvlv global data() function calculates the allocation length for a global TT response using 16-bit temporaries. If a remote originator advertises a sufficiently large global TT, the sum of the TT payload length and the VLAN header offset can exceed 65535, causing an integer wrap before the kmalloc() call. Because the full-table response path continues to use the original payload length when filling tt change, the allocated buffer is too small, leading to a heap-based buffer overflow where data is written past the end of the heap object.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.