CVE-2026-52915

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6t hbh: reject oversized option lists

struct ip6t opts stores at most IP6T OPTS OPTSNR option descriptors, but hbh mt6 check() does not reject larger optsnr values supplied from userspace.

Validate optsnr in the rule setup path so only match data that fits the fixed-size opts array can be installed. This follows the existing xtables pattern of rejecting invalid user-provided counts in checkentry() and keeps the packet matching path unchanged.

struct ip6t opts has a fixed opts[IP6T OPTS OPTSNR] array, where IP6T OPTS OPTSNR is 16, then off-by-one array access is possible:

[ 137.924693][ T8692] UBSAN: array-index-out-of-bounds in ../net/ipv6/netfilter/ip6t hbh.c:110:29 [ 137.926167][ T8692] index 16 is out of range for type ' u16 [16]'