Back to overview

CVE-2026-52915

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

Metadata

CVE ID
CVE-2026-52915
State
PUBLISHED
Assigner
Linux
Reserved
2026-06-09 07:44 UTC
Published
2026-06-24 07:14 UTC
Last updated
2026-06-24 07:14 UTC
Vendor / Product
Linux / Linux
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (2)
VendorProductPlatformVersions
Linux Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2d523ba48d4ecc46acfb6aba548292cfcce1ac02, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 588933f1a2ca5ff99274f8c9f25dc3a25d0191c3, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 784aadea7a108c9f90985683caa87fb0198c6a39, 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 41ec2e242f1702e8370ddfe14d22b7a766021c3e …
Linux Linux 2.6.12, 0 < 2.6.12, 5.10.258 ≤ 5.10.*, 5.15.209 ≤ 5.15.* …
References (8)
Back to overview