7.1

CVE-2026-52915

netfilter: ip6t_hbh: reject oversized option lists

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:

[  137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[  137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.12.1 < 5.10.258
LinuxLinux Kernel Version >= 5.11 < 5.15.209
LinuxLinux Kernel Version >= 5.16 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.142
LinuxLinux Kernel Version >= 6.7 < 6.12.92
LinuxLinux Kernel Version >= 6.13 < 6.18.34
LinuxLinux Kernel Version >= 6.19 < 7.0.11
LinuxLinux Kernel Version2.6.12 Update-
LinuxLinux Kernel Version2.6.12 Updaterc2
LinuxLinux Kernel Version2.6.12 Updaterc3
LinuxLinux Kernel Version2.6.12 Updaterc4
LinuxLinux Kernel Version2.6.12 Updaterc5
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
LinuxLinux Kernel Version7.1 Updaterc3
LinuxLinux Kernel Version7.1 Updaterc4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02
Patch
https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3
Patch
https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39
Patch
https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e
Patch
https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93
Patch
https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412
Patch
https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7
Patch
https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8
Patch