CVE Catalog

CVE-2026-52915

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

In the Linux kernel, the netfilter ip6t_hbh module lacks validation of the Hop-by-Hop options list size. Userspace can supply an optsnr value larger than allowed (IP6T_OPTS_OPTSNR = 16), causing an out-of-bounds access on the opts array. The issue was reported by UBSAN as an array-index-out-of-bounds error.

Risk Assessment

An attacker with privileges to configure firewall rules (e.g., via nftables/iptables) could trigger a kernel panic or potentially escalate privileges by exploiting the out-of-bounds array access.

Recommendation

Immediately update the Linux kernel to a version that includes the fix validating optsnr in hbh_mt6_check(). If an update is not possible, restrict firewall rule configuration access to trusted users only.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

Vulnerability data from NVD (NIST) · CISA KEV · EPSS