CVE-2026-52915

HIGH

netfilter: ip6t_hbh: reject oversized option lists

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

Scores

CVSS v3 7.1
EPSS 0.0013
EPSS Percentile 2.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE
CWE-129
Status published
Products (28)
linux/Kernel 2.6.12 - 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.34linux
linux/Kernel 6.19.0 - 7.0.11linux
linux/Kernel 6.2.0 - 6.6.142linux
linux/Kernel 6.7.0 - 6.12.92linux
Linux/Linux < 2.6.12
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 2d523ba48d4ecc46acfb6aba548292cfcce1ac02
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 41ec2e242f1702e8370ddfe14d22b7a766021c3e
... and 18 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026