{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23456", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.020Z", "datePublished": "2026-04-03T15:15:37.534Z", "dateUpdated": "2026-05-11T22:07:20.438Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:20.438Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint()."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "a2cd54b9348e485d338b3c132338a4410c99afaf", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "c95dc674ebf01ecfb40388b6facfc89b81fed3b7", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "41b417ff73a24b2c68134992cc44c88db27f482d", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "52235bf88159a1ef16434ab49e47e99c8a09ab20", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "774a434f8c9c8602a976b2536f65d0172a07f4d2", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "6bce72daeccca9aa1746e92d6c3d4784e71f2ebb", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "fb6c3596823ec5dd09c2123340330d7448f51a59", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "1e3a3593162c96e8a8de48b1e14f60c3b57fca8a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "2.6.17", "status": "affected"}, {"version": "0", "lessThan": "2.6.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf"}, {"url": "https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7"}, {"url": "https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d"}, {"url": "https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20"}, {"url": "https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2"}, {"url": "https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb"}, {"url": "https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59"}, {"url": "https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a"}], "title": "netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint()."}], "id": "CVE-2026-23456", "lastModified": "2026-04-27T14:16:34.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:32.300", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case", "id": "2454851", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454851"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel's netfilter H.323 connection tracking module. A remote attacker could exploit this vulnerability by sending a specially crafted H.323/RAS (H.323 Registration, Admission, and Status) packet. The system's processing of these packets could lead to an out-of-bounds read of 1-4 bytes, potentially causing information disclosure or a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the nf_conntrack_h323 module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. This will disable H.323 connection tracking for NAT."}, "name": "CVE-2026-23456", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23456\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23456\nhttps://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23456-7da2@gregkh/T"], "statement": "This vulnerability is remotely exploitable via malformed H.323/RAS network packets. However, exploitation requires the nf_conntrack_h323 module to be loaded, which is only needed for H.323 VoIP traffic traversing NAT. The out-of-bounds read is limited to 1-4 bytes and most likely causes a crash rather than meaningful data leakage.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,41b417ff73a24b2c68134992cc44c88db27f482d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,52235bf88159a1ef16434ab49e47e99c8a09ab20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,774a434f8c9c8602a976b2536f65d0172a07f4d2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,6bce72daeccca9aa1746e92d6c3d4784e71f2ebb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,fb6c3596823ec5dd09c2123340330d7448f51a59)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,1e3a3593162c96e8a8de48b1e14f60c3b57fca8a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,1e3a3593162c96e8a8de48b1e14f60c3b57fca8a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:38:22.020827+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel version that includes the patch for this issue", "If upgrading is not feasible, disable the nf_conntrack_h323 module or unload all H.323 conntrack modules to prevent processing of H.323 traffic", "Configure network filtering or firewall rules to reject malformed H.323 packets from untrusted sources", "Monitor system logs for anomalous H.323 activity and investigate any unexpected traffic"], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel for all distributions that ship with the nf_conntrack_h323 conntrack module and that have not yet incorporated the patch. The CNA entry lists only Linux:Linux, and no specific versions are enumerated, so every kernel prior to the commit that introduced the boundary check is affected. Users should verify whether their running kernel matches the repositories referenced in the advisory to determine vulnerability status.", "description_and_impact": "The nf_conntrack_h323 module in the Linux kernel contains a boundary\u2011check failure in its decode_int() routine. In the CONS case, the routine reads a length value with get_bits(bs,2) and then calls get_uint(bs,len) without validating that len bytes remain on the buffer. This omission permits a crafted H.323/RAS packet to trigger a 1\u20134 byte out\u2011of\u2011bounds read from kernel memory. The flaw is a CWE\u2011125 boundary\u2011check failure that can expose privileged kernel data to a remote attacker.", "risk_and_exploitability": "The CVSS v3 score of 8.2 indicates high severity. The EPSS score is less than 1%, implying a very low likelihood of exploitation in the wild, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to inject a malformed H.323 packet into the network interface that the kernel processes, so remote access to that interface is needed. Because the read is small, the immediate impact is information disclosure, but the data leaked could aid more complex attacks, so the overall risk remains significant for exposed systems. The likely attack vector is inferred to be a remote network attacker sending crafted H.323 traffic to the target. The vulnerability does not provide a code execution path by itself."}}}}, "created": "2026-04-03T21:13:42.322101+00:00", "updated": "2026-04-28T16:45:06.179082+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}