CVE-2026-23456
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Read in Linux netfilter nf_conntrack_h323 Component

Publication date: 2026-04-03

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23456
EUVD
EUVD-2026-18712
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 2.6.17 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's netfilter component, specifically in the nf_conntrack_h323 module. It involves an out-of-bounds (OOB) read in the decode_int() function within the CONS case. The function calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without verifying that the buffer contains enough bytes for the requested read. The boundary check only validates the 2 bits read by get_bits(), not the subsequent 1 to 4 bytes read by get_uint(). This flaw allows a malformed H.323/RAS packet to trigger a 1-4 byte slab out-of-bounds read.

The fix involves adding a boundary check for the length bytes after get_bits() and before get_uint() to prevent reading beyond the buffer.

Impact Analysis

This vulnerability can lead to an out-of-bounds read of 1 to 4 bytes in kernel memory when processing malformed H.323/RAS packets. Such out-of-bounds reads can potentially cause system instability, crashes, or may be leveraged by attackers to gain information about kernel memory, which could aid in further exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart