CVE-2026-52915

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace.

Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged.

struct ip6t_opts has a fixed opts[IP6T_OPTS_OPTSNR] array, where IP6T_OPTS_OPTSNR is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2d523ba48d4ecc46acfb6aba548292cfcce1ac02affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 588933f1a2ca5ff99274f8c9f25dc3a25d0191c3affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 784aadea7a108c9f90985683caa87fb0198c6a39affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 41ec2e242f1702e8370ddfe14d22b7a766021c3eaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < db0250470f023f159094052c0bd5ab026a88ae93affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 57b0ac5e1b46f1f0338dff392ef2092e2871b412affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6feb43c0995ab3a9c826707eb46541a1696fe4f7affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4322dcde6b4173c2d8e8e6118ed290794263bcc8affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.142 <= 6.6.*unaffected
LinuxLinux6.12.92 <= 6.12.*unaffected
LinuxLinux6.18.34 <= 6.18.*unaffected
LinuxLinux7.0.11 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References