Linux Kernel: nf_conntrack_h323 OOB read in decode_int()
CVE-2026-23456 Published on April 3, 2026
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
value, then calls get_uint(bs, len) without checking that len bytes
remain in the buffer. The existing boundary check only validates the
2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
slab-out-of-bounds read.
Add a boundary check for len bytes after get_bits() and before
get_uint().
Products Associated with CVE-2026-23456
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below 41b417ff73a24b2c68134992cc44c88db27f482d is affected.
- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below 52235bf88159a1ef16434ab49e47e99c8a09ab20 is affected.
- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below 774a434f8c9c8602a976b2536f65d0172a07f4d2 is affected.
- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below 6bce72daeccca9aa1746e92d6c3d4784e71f2ebb is affected.
- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below fb6c3596823ec5dd09c2123340330d7448f51a59 is affected.
- Version 5e35941d990123f155b02d5663e51a24f816b6f3 and below 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a is affected.
- Version 2.6.17 is affected.
- Before 2.6.17 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.20, <= 6.18.* is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.