CVE-2026-23455
Published: Apr 3, 2026
Modified: May 11, 2026
CVSS v3.1
9.1
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 5e35941d990123f155b02d5663e51a24f816b6f3 - < 2121f5fbe88daff0f1fc5bc47d359426c74b86b0affected 5e35941d990123f155b02d5663e51a24f816b6f3 - < 65fa92f79677858b14b9e4b7275f26639afe2710affected 5e35941d990123f155b02d5663e51a24f816b6f3 - < 495e97af9e7249ee02b72bb1d0848a6efc3700f4affected 5e35941d990123f155b02d5663e51a24f816b6f3 - < f5e4f4e4cdb75ec36802059a94195a31f193da60affected 5e35941d990123f155b02d5663e51a24f816b6f3 - < 633e8f87dad32263f6a57dccdb873f042c062111+3 more versions |
Linux | Linux | affected 2.6.17unaffected 0 - < 2.6.17unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.167 - <= 6.1.*+5 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now