CVE-2026-52915

EUVD-2026-38718
In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:

[  137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[  137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
vulnerable
trixie (security)
6.12.94-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02
https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e
https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8
https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412
https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3
https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7
https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39
https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93