CVE-2026-23456
Out-of-Bounds Read in Linux netfilter nf_conntrack_h323 Component
Publication date: 2026-04-03
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_h323 module. It involves an out-of-bounds (OOB) read in the decode_int() function within the CONS case. The function calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without verifying that the buffer contains enough bytes for the requested read. The boundary check only validates the 2 bits read by get_bits(), not the subsequent 1 to 4 bytes read by get_uint(). This flaw allows a malformed H.323/RAS packet to trigger a 1-4 byte slab out-of-bounds read.
The fix involves adding a boundary check for the length bytes after get_bits() and before get_uint() to prevent reading beyond the buffer.
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds read of 1 to 4 bytes in kernel memory when processing malformed H.323/RAS packets. Such out-of-bounds reads can potentially cause system instability, crashes, or may be leveraged by attackers to gain information about kernel memory, which could aid in further exploitation.