netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

Summary

CVE	CVE-2026-23456
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-03 16:16:32 UTC
Updated	2026-04-18 09:16:28 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.090980000 (date 2026-04-18)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 a2cd54b9348e485d338b3c132338a4410c99afaf git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 c95dc674ebf01ecfb40388b6facfc89b81fed3b7 git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 41b417ff73a24b2c68134992cc44c88db27f482d git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 52235bf88159a1ef16434ab49e47e99c8a09ab20 git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 774a434f8c9c8602a976b2536f65d0172a07f4d2 git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 6bce72daeccca9aa1746e92d6c3d4784e71f2ebb git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 fb6c3596823ec5dd09c2123340330d7448f51a59 git	Not specified
CNA	Linux	Linux	affected 5e35941d990123f155b02d5663e51a24f816b6f3 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a git	Not specified
CNA	Linux	Linux	affected 2.6.17	Not specified
CNA	Linux	Linux	unaffected 2.6.17 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.253 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.203 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.