CVE-2026-52915 - Vulnerability Details

- netfilter: ip6t_hbh: reject oversized option lists

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

`struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array,
where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29
[ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

Published: 2026-06-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2d523ba48d4ecc46acfb6aba548292cfcce1ac02
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 588933f1a2ca5ff99274f8c9f25dc3a25d0191c3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 784aadea7a108c9f90985683caa87fb0198c6a39
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 41ec2e242f1702e8370ddfe14d22b7a766021c3e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< db0250470f023f159094052c0bd5ab026a88ae93
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 57b0ac5e1b46f1f0338dff392ef2092e2871b412
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 6feb43c0995ab3a9c826707eb46541a1696fe4f7
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4322dcde6b4173c2d8e8e6118ed290794263bcc8

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.142`	unaffected	≤ 6.6.*
`6.12.92`	unaffected	≤ 6.12.*
`6.18.34`	unaffected	≤ 6.18.*
`7.0.11`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2d523ba48d4ecc46acfb6aba548292cfcce1ac02)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,588933f1a2ca5ff99274f8c9f25dc3a25d0191c3)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,784aadea7a108c9f90985683caa87fb0198c6a39)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,41ec2e242f1702e8370ddfe14d22b7a766021c3e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,db0250470f023f159094052c0bd5ab026a88ae93)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,57b0ac5e1b46f1f0338dff392ef2092e2871b412)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6feb43c0995ab3a9c826707eb46541a1696fe4f7)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4322dcde6b4173c2d8e8e6118ed290794263bcc8)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	generic	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.142,6.7.0)`	unaffected	semver	—
`[6.12.92,6.13.0)`	unaffected	semver	—
`[6.18.34,6.19.0)`	unaffected	semver	—
`[7.0.11,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00126.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02
https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e
https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8
https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412
https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3
https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7
https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39
https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93
https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52915-44dd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52915
https://www.cve.org/CVERecord?id=CVE-2026-52915

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Thu, 25 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-126

Thu, 25 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
References		https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52915-44dd@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52915 https://www.cve.org/CVERecord?id=CVE-2026-52915
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-126

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Title		netfilter: ip6t_hbh: reject oversized option lists
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02 https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8 https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412 https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3 https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7 https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39 https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:12.569Z

Updated: 2026-06-28T06:36:33.329Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52915

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52915 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:00:21Z

Weaknesses

CWE-787

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object