Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_hbh: reject oversized option lists struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace. Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged. `struct ip6t_opts` has a fixed `opts[IP6T_OPTS_OPTSNR]` array, where `IP6T_OPTS_OPTSNR` is 16, then off-by-one array access is possible: [ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <2d523ba48d4ecc46acfb6aba548292cfcce1ac02; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <588933f1a2ca5ff99274f8c9f25dc3a25d0191c3; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <784aadea7a108c9f90985683caa87fb0198c6a39; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <41ec2e242f1702e8370ddfe14d22b7a766021c3e; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <db0250470f023f159094052c0bd5ab026a88ae93; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <57b0ac5e1b46f1f0338dff392ef2092e2871b412; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <6feb43c0995ab3a9c826707eb46541a1696fe4f7; 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 to <4322dcde6b4173c2d8e8e6118ed290794263bcc8 |
| Linux | Linux | 2.6.12; 0 to <2.6.12; 5.10.258 to <=5.10.*; 5.15.209 to <=5.15.*; 6.1.175 to <=6.1.*; 6.6.142 to <=6.6.*; 6.12.92 to <=6.12.*; 6.18.34 to <=6.18.*; 7.0.11 to <=7.0.*; 7.1 to <=* |
References
- https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02
- https://git.kernel.org/stable/c/588933f1a2ca5ff99274f8c9f25dc3a25d0191c3
- https://git.kernel.org/stable/c/784aadea7a108c9f90985683caa87fb0198c6a39
- https://git.kernel.org/stable/c/41ec2e242f1702e8370ddfe14d22b7a766021c3e
- https://git.kernel.org/stable/c/db0250470f023f159094052c0bd5ab026a88ae93
- https://git.kernel.org/stable/c/57b0ac5e1b46f1f0338dff392ef2092e2871b412
- https://git.kernel.org/stable/c/6feb43c0995ab3a9c826707eb46541a1696fe4f7
- https://git.kernel.org/stable/c/4322dcde6b4173c2d8e8e6118ed290794263bcc8
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.