Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local rule installation needs CAP_NET_ADMIN so PR:L and AV:L; out-of-bounds access yields memory disclosure (C:H) and kernel crash (A:H) but no integrity impact (I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ip6t_hbh: reject oversized option lists
struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors, but hbh_mt6_check() does not reject larger optsnr values supplied from userspace.
Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged.
struct ip6t_opts has a fixed opts[IP6T_OPTS_OPTSNR] array, where IP6T_OPTS_OPTSNR is 16, then off-by-one array access is possible:
[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t_hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type '__u16 [16]'
AnalysisAI
Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to install or modify ip6tables rules, i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a moderate, locally-scoped issue rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with CAP_NET_ADMIN - for example an unprivileged user who has entered a user+network namespace inside a container - installs a crafted ip6tables rule using the hbh match with optsnr set to 16 or higher. During rule setup hbh_mt6_check() accesses the opts[] array out of bounds, crashing the kernel (DoS) or potentially disclosing adjacent kernel memory. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 7.0.11, or 6.18.34 (or later within each series) per your branch, applying the commits at https://git.kernel.org/stable/c/2d523ba48d4ecc46acfb6aba548292cfcce1ac02 and the related stable commits. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems running IPv6 and cross-reference against your Linux distribution's security advisories (Red Hat, Debian, Ubuntu, CentOS, etc.) to identify vulnerable kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38718
GHSA-9hfh-p7qh-475c