← All CVEs

CVE-2026-52915

HIGH 7.1

Published 2026-06-24 · Last modified 2026-06-28

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

ELEVATED IMPACT

Severe if exploited (CVSS 7.1), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.1%chance of exploitation in 30 days · 3rd percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.1CVSS 3.1 · HIGH

  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Requires local access to the host
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Linux

Products Linux

Weakness (CWE)

Not classified.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Sources: NVD · CVE.org · EPSS