CVE-2026-43233
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Read in Linux Kernel's nf_conntrack_h323

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43233
EUVD
EUVD-2026-27794
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's netfilter nf_conntrack_h323 module, specifically in the decode_choice() function. The issue arises because a boundary check uses an uninitialized variable 'len' which is zero at that point, leading to an out-of-bounds (OOB) read when get_len() is called.

When a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data is sent to port 1720 through a firewall with the nf_conntrack_h323 helper active, the decoder consumes the PER buffer fully but then attempts to read 1-2 bytes past the end of the buffer. This results in a heap-buffer-overflow read.

The fix involves properly checking for 2 bytes of available data before calling get_len(), preventing the out-of-bounds read.


How can this vulnerability impact me? :

This vulnerability can lead to a heap-buffer-overflow read, which may cause the affected system to behave unpredictably or crash. Since it can be triggered remotely by sending a crafted message to port 1720, it poses a risk of remote exploitation.

Potential impacts include denial of service or information disclosure due to reading memory beyond the intended buffer.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring proper boundary checks before calling get_len() in the nf_conntrack_h323 helper of the Linux kernel netfilter module.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.

Additionally, if possible, disabling the nf_conntrack_h323 helper or blocking traffic on port 1720 (used by H.323) through the firewall can reduce exposure until the patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart