Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s netfilter module for IPv6 hop‑by‑hop options, ip6t_hbh, fails to validate the number of option descriptors supplied when a rule is created. The fixed‑size options array has 16 elements, but the rule‑setup path allows a larger count to be stored, causing an array‑index‑out‑of‑bounds write and leading to a kernel panic. The flaw does not provide code execution or remote capture capabilities; it simply crashes the system as soon as a malformed rule is installed.

Affected Systems

All Linux kernel installations that include the vulnerable ip6t_hbh code path prior to the commit that added the bounds check are affected. Since the full version list is not supplied, any kernel lacking the patch or the blacklisting of the module can be vulnerable.

Risk and Exploitability

The exploitation vector is local, and based on the description it is inferred that an attacker must have the ability to create or modify netfilter rules via iptables or ip6tables, which normally requires root or administrative privileges. The EPSS score is less than 1 % and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 7.1 reflects high severity, indicating that a local privileged user can cause a denial of service by crashing the kernel when the malformed rule is installed.

Generated by OpenCVE AI on June 28, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that contains the commit adding the bounds check for ip6t_hbh
  • If the ip6t_hbh module is not essential, unload or blacklist it with `modprobe -r ip6t_hbh` or by adding it to a blacklist file
  • Configure network perimeter defenses to drop or filter IPv6 packets that include hop‑by‑hop options when possible

Generated by OpenCVE AI on June 28, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


Thu, 25 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Title netfilter: ip6t_hbh: reject oversized option lists
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:33.329Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52915

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52915 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses