{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23455", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.020Z", "datePublished": "2026-04-03T15:15:36.869Z", "dateUpdated": "2026-05-11T22:07:19.268Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:19.268Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "2121f5fbe88daff0f1fc5bc47d359426c74b86b0", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "65fa92f79677858b14b9e4b7275f26639afe2710", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "495e97af9e7249ee02b72bb1d0848a6efc3700f4", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "f5e4f4e4cdb75ec36802059a94195a31f193da60", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "633e8f87dad32263f6a57dccdb873f042c062111", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "b652b05d51003ac074b912684f9ec7486231717b", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "f173d0f4c0f689173f8cdac79991043a4a89bf66", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "2.6.17", "status": "affected"}, {"version": "0", "lessThan": "2.6.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"}, {"url": "https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"}, {"url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"}, {"url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"}, {"url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"}, {"url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"}, {"url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"}, {"url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"}], "title": "netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."}], "id": "CVE-2026-23455", "lastModified": "2026-04-27T14:16:33.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:32.123", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()", "id": "2454810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454810"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in the Linux kernel's netfilter subsystem, specifically within the `nf_conntrack_h323` module. This vulnerability occurs in the `DecodeQ931()` function when processing a zero-length value from a packet. An integer underflow during a length calculation results in a large, incorrect value being passed to a subsequent function, leading to an out-of-bounds read. This could allow an attacker to cause a denial of service or potentially disclose sensitive information."], "name": "CVE-2026-23455", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23455\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23455\nhttps://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23455-f045@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,495e97af9e7249ee02b72bb1d0848a6efc3700f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,f5e4f4e4cdb75ec36802059a94195a31f193da60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,633e8f87dad32263f6a57dccdb873f042c062111)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,b652b05d51003ac074b912684f9ec7486231717b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,f173d0f4c0f689173f8cdac79991043a4a89bf66)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:38:47.615709+00:00", "value": {"mitigation_remediation": ["Update to a Linux kernel version that includes the zero\u2011length check commit.", "If an update cannot be applied immediately, isolate the system or block H.323 traffic until the patch is applied.", "Monitor vendor advisories and apply the fix as soon as it is released."], "summary": {"action": "Patch promptly", "impact": "Out-of-bounds read"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the nf_conntrack_h323 module and lack the commit adding the zero\u2011length check are vulnerable. Vendor: Linux. Product: Linux kernel. Specific affected versions are not enumerated in the advisory; any kernel prior to the patch that processes H.323 traffic via nf_conntrack is susceptible.", "description_and_impact": "The nf_conntrack_h323 module in the Linux kernel contains a flaw in DecodeQ931(). The function reads a 16\u2011bit length from the packet, decrements it to skip a protocol discriminator byte, and passes the result to DecodeH323_UserInformation(). If the original length is zero, the decrement underflows to \u20131, which the decoder interprets as a large positive number, leading to an out-of-bounds read into kernel memory. The attacker can trigger the wrap by sending a crafted H.323 packet. The vulnerability allows an attacker to read arbitrary kernel memory without executing code or causing a crash.", "risk_and_exploitability": "The CVSS v3 score of 9.1 indicates medium\u2011to\u2011high severity. The EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, suggesting a low probability of exploitation. The flaw is reachable over the network, as the nf_conntrack module processes inbound H.323 traffic. An attacker who can inject crafted packets to the target can trigger the out-of-bounds read, leading to possible information disclosure. No privilege escalation, code execution, or denial of service is achieved."}}}}, "created": "2026-04-03T21:13:43.254417+00:00", "updated": "2026-04-28T16:45:06.180564+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}