CVE-2026-23457
Description
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary.
For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser.
Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer truncation in Linux kernel's SIP conntrack helper allows crafted SIP messages to bypass message boundary parsing, potentially leading to SDP injection.
Vulnerability
In the Linux kernel's netfilter connection tracking helper for SIP (nf_conntrack_sip), the function sip_help_tcp() parses the SIP Content-Length header using simple_strtoul(), which returns an unsigned long. However, the result is stored in a variable clen is declared as unsigned int. On 64-bit systems, this truncation silently discards high-order bits when the Content-Length value exceeds UINT_MAX. For example, a value of 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate the SIP message boundary [1][2].
Exploitation
An attacker can craft a SIP message with a Content-Length header containing a value larger than UINT_MAX. The truncated value causes the parser to treat the current message as shorter than it actually is. The remaining data in the TCP segment is then interpreted as a new SIP message and processed by the SDP parser. No authentication is required beyond the ability to send SIP traffic to a system using the SIP conntrack helper [1][2].
Impact
Successful exploitation allows an attacker to inject arbitrary SDP content into the connection tracking state. This can lead to manipulation of SIP session parameters, potentially enabling further attacks such as media redirection or denial of service or unauthorized call control. The vulnerability is rated High with a CVSS v3 score of 8.6 [1][2].
Mitigation
The fix changes clen to unsigned long to match the return type of simple_strtoul() and adds a check to reject Content-Length values that exceed the remaining TCP payload length. Patches have been applied to the Linux kernel stable branches as referenced in commits [1][2][3][4]. Users should update to the latest patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383nvd
- git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659nvd
- git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9nvd
- git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027nvd
- git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42fnvd
- git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015nvd
- git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873nvd
- git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57cnvd
News mentions
0No linked articles in our index yet.