Skip to main content

Linux Kernel CVE-2026-52915

| EUVDEUVD-2026-38718 HIGH
Improper Validation of Array Index (CWE-129)
2026-06-24 Linux GHSA-9hfh-p7qh-475c
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local rule installation needs CAP_NET_ADMIN so PR:L and AV:L; out-of-bounds access yields memory disclosure (C:H) and kernel crash (A:H) but no integrity impact (I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:34 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t_hbh: reject oversized option lists

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace.

Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged.

struct ip6t_opts has a fixed opts[IP6T_OPTS_OPTSNR] array, where IP6T_OPTS_OPTSNR is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'

AnalysisAI

Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CAP_NET_ADMIN (root or userns)
Delivery
Craft ip6t_hbh match with optsnr ≥ 16
Exploit
Install rule invoking hbh_mt6_check()
Execution
Out-of-bounds access of opts[16] array
Impact
Kernel crash or memory disclosure

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to install or modify ip6tables rules, i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a moderate, locally-scoped issue rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with CAP_NET_ADMIN - for example an unprivileged user who has entered a user+network namespace inside a container - installs a crafted ip6tables rule using the hbh match with optsnr set to 16 or higher. During rule setup hbh_mt6_check() accesses the opts[] array out of bounds, crashing the kernel (DoS) or potentially disclosing adjacent kernel memory. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 7.0.11, or 6.18.34 (or later within each series) per your branch, applying the commits at https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02 and the related stable commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems running IPv6 and cross-reference against your Linux distribution's security advisories (Red Hat, Debian, Ubuntu, CentOS, etc.) to identify vulnerable kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy