Impact
The Linux kernel’s netfilter module for IPv6 hop‑by‑hop options, ip6t_hbh, fails to validate the number of option descriptors supplied when a rule is created. The fixed‑size options array has 16 elements, but the rule‑setup path allows a larger count to be stored, causing an array‑index‑out‑of‑bounds write and leading to a kernel panic. The flaw does not provide code execution or remote capture capabilities; it simply crashes the system as soon as a malformed rule is installed.
Affected Systems
All Linux kernel installations that include the vulnerable ip6t_hbh code path prior to the commit that added the bounds check are affected. Since the full version list is not supplied, any kernel lacking the patch or the blacklisting of the module can be vulnerable.
Risk and Exploitability
The exploitation vector is local, and based on the description it is inferred that an attacker must have the ability to create or modify netfilter rules via iptables or ip6tables, which normally requires root or administrative privileges. The EPSS score is less than 1 % and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 7.1 reflects high severity, indicating that a local privileged user can cause a denial of service by crashing the kernel when the malformed rule is installed.
OpenCVE Enrichment
Debian DLA