CVE-2026-46233

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> batman-adv: bla: only purge non-released claims<br /> <br /> When batadv_bla_purge_claims() goes through the list of claims, it is only<br /> traversing the hash list with an rcu_read_lock(). Due to a potential<br /> parallel batadv_claim_put(), it can happen that it encounters a claim which<br /> was actually in the process of being released+freed by<br /> batadv_claim_release(). In this case, backbone_gw is set to NULL before the<br /> delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is<br /> then no longer allowed because it would cause a NULL-ptr derefence.<br /> <br /> To avoid this, only claims with a valid reference counter must be purged.<br /> All others are already taken care of.