CVE-2026-46233

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: bla: only purge non-released claims

When batadv bla purge claims() goes through the list of claims, it is only traversing the hash list with an rcu read lock(). Due to a potential parallel batadv claim put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv claim release(). In this case, backbone gw is set to NULL before the delayed RCU kfree is started. Calling batadv bla claim get backbone gw() is then no longer allowed because it would cause a NULL-ptr derefence.

To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.