Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s ip6t_hbh module, which processes IPv6 hop‑by‑hop options, does not validate the length of user‑supplied option lists during rule setup. This allows a crafted packet containing more than the 16 allowed option descriptors to trigger an array‑index‑out‑of‑bounds access on the fixed `opts` array. The resulting kernel panic causes a system crash and disrupts availability. No code execution or data exfiltration is possible, but the crash can be triggered remotely by sending a malformed packet to any host with the module loaded.

Affected Systems

All Linux kernel installations that include the vulnerable ip6t_hbh code path prior to the commit that added the bounds check are affected. The detailed version information is not provided, so any kernel lacking the patch for this issue is potentially vulnerable.

Risk and Exploitability

The exploit requires the ability to send specially crafted IPv6 packets that reach the kernel’s packet‑matching logic. The attack can be launched from any network with reachability to the target. While the EPSS score is unavailable and the vulnerability is not in CISA’s KEV catalog, the potential for a kernel crash represents a significant operational risk, especially for systems exposed to untrusted traffic.

Generated by OpenCVE AI on June 24, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that contains the commit adding the bounds check for ip6t_hbh
  • If the ip6t_hbh module is not essential, unload or blacklist it with `modprobe -r ip6t_hbh` or by adding it to a blacklist file
  • Configure network perimeter defenses to drop or filter IPv6 packets that include hop‑by‑hop options when possible

Generated by OpenCVE AI on June 24, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Title netfilter: ip6t_hbh: reject oversized option lists
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:12.569Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52915

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses

No weakness.