CVE-2026-23456
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.
Add a boundary check for len bytes after get_bits() and before get_uint().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's nf_conntrack H.323 module, an OOB read in decode_int()'s CONS case allows a malformed H.323/RAS packet to cause a slab-out-of-bounds read of up to 4 bytes.
Vulnerability
CVE-2026-23456 is an out-of-bounds (OOB) read vulnerability in the Linux kernel's netfilter subsystem, specifically within the nf_conntrack_h323 module. The bug resides in the decode_int() function's CONS case. The function uses get_bits(bs, 2) to read a 2-bit length value, and then calls get_uint(bs, len) to read the actual integer. The code only verified that the 2 bits could be read, but neglected to check that len bytes (1–4) remained in the buffer before reading them, leading to a 1–4 byte slab-out-of-bounds read when processing a crafted H.323/RAS packet [1][2].
Exploitation
An attacker can exploit this flaw by sending a specially crafted H.323/RAS packet to a system running a vulnerable kernel with the nf_conntrack_h323 module enabled (e.g., when tracking VoIP connections). No authentication is required, as the packet is processed at the network level. The attack surface is limited to systems that use the nf_conntrack H.323 helper, which is not universally enabled in all Linux distributions. The OOB read occurs during packet inspection and parsing in kernel space, meaning a remote attacker could trigger the vulnerability by sending a single malformed packet [1][3].
Impact
Successful exploitation results in reading up to 4 bytes of memory beyond the allocated slab buffer. This can leak sensitive kernel heap data to the attacker, aiding further attacks (e.g., information gathering for a subsequent privilege escalation). In some configurations, repeated OOB reads might cause a kernel crash, leading to a denial-of-service condition. The vulnerability is rated High with a CVSS v3 score of 8.2 due to the combination of remote triggerability and potential for information disclosure and system instability [1][4].
Mitigation
The issue is fixed in the Linux kernel via commit fb6c3596823ec5dd09c2123340330d7448f51a59 (and equivalent stable backports), which adds a proper length check after get_bits() and before get_uint(). Users should update their kernel to a version containing this fix. No workaround is available for users who cannot immediately update, aside from disabling the H.323 connection tracking helper if it is not needed, which can be done by unloading or blacklisting the nf_conntrack_h323 module [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8anvd
- git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482dnvd
- git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20nvd
- git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebbnvd
- git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2nvd
- git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afafnvd
- git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7nvd
- git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59nvd
News mentions
0No linked articles in our index yet.