{"api_version":"1","generated_at":"2026-05-12T22:03:40+00:00","cve":"CVE-2026-43233","urls":{"html":"https://cve.report/CVE-2026-43233","api":"https://cve.report/api/cve/CVE-2026-43233.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43233","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43233"},"summary":{"title":"netfilter: nf_conntrack_h323: fix OOB read in decode_choice()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_choice()\n\nIn decode_choice(), the boundary check before get_len() uses the\nvariable `len`, which is still 0 from its initialization at the top of\nthe function:\n\n    unsigned int type, ext, len = 0;\n    ...\n    if (ext || (son->attr & OPEN)) {\n        BYTE_ALIGN(bs);\n        if (nf_h323_error_boundary(bs, len, 0))  /* len is 0 here */\n            return H323_ERROR_BOUND;\n        len = get_len(bs);                        /* OOB read */\n\nWhen the bitstream is exactly consumed (bs->cur == bs->end), the check\nnf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),\nwhich is false.  The subsequent get_len() call then dereferences\n*bs->cur++, reading 1 byte past the end of the buffer.  If that byte\nhas bit 7 set, get_len() reads a second byte as well.\n\nThis can be triggered remotely by sending a crafted Q.931 SETUP message\nwith a User-User Information Element containing exactly 2 bytes of\nPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with\nthe nf_conntrack_h323 helper active.  The decoder fully consumes the\nPER buffer before reaching this code path, resulting in a 1-2 byte\nheap-buffer-overflow read confirmed by AddressSanitizer.\n\nFix this by checking for 2 bytes (the maximum that get_len() may read)\ninstead of the uninitialized `len`.  This matches the pattern used at\nevery other get_len() call site in the same file, where the caller\nchecks for 2 bytes of available data before calling get_len().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:43","updated_at":"2026-05-12 19:03:56"},"problem_types":["CWE-125"],"metrics":[{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","data":{"baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1","name":"https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16","name":"https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead","name":"https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041","name":"https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224","name":"https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129","name":"https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60","name":"https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a","name":"https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43233","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43233","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa 2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa 81f2fc5b0d0cf4696146f00f837596d10b92dead git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa 7ef82863d42261817a6394c6c881bd6757a70f16 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa 53d32735d77ab56cc3fc7bd53a7d099418f19be1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa f0a83d0a4b7c127d32ac06d607a9214937716129 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa 35f1943d242e1b9f0b6e91c0c93bfb293a9f8224 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa baed0d9ba91d4f390da12d5039128ee897253d60 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.252 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.202 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.165 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"43233","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43233","cve":"CVE-2026-43233","epss":"0.000520000","percentile":"0.160740000","score_date":"2026-05-11","updated_at":"2026-05-12 00:01:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/netfilter/nf_conntrack_h323_asn1.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"81f2fc5b0d0cf4696146f00f837596d10b92dead","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"7ef82863d42261817a6394c6c881bd6757a70f16","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"53d32735d77ab56cc3fc7bd53a7d099418f19be1","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"f0a83d0a4b7c127d32ac06d607a9214937716129","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"35f1943d242e1b9f0b6e91c0c93bfb293a9f8224","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"},{"lessThan":"baed0d9ba91d4f390da12d5039128ee897253d60","status":"affected","version":"ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/netfilter/nf_conntrack_h323_asn1.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.15"},{"lessThan":"4.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.252","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.202","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.165","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.252","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.202","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.165","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"4.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_choice()\n\nIn decode_choice(), the boundary check before get_len() uses the\nvariable `len`, which is still 0 from its initialization at the top of\nthe function:\n\n    unsigned int type, ext, len = 0;\n    ...\n    if (ext || (son->attr & OPEN)) {\n        BYTE_ALIGN(bs);\n        if (nf_h323_error_boundary(bs, len, 0))  /* len is 0 here */\n            return H323_ERROR_BOUND;\n        len = get_len(bs);                        /* OOB read */\n\nWhen the bitstream is exactly consumed (bs->cur == bs->end), the check\nnf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),\nwhich is false.  The subsequent get_len() call then dereferences\n*bs->cur++, reading 1 byte past the end of the buffer.  If that byte\nhas bit 7 set, get_len() reads a second byte as well.\n\nThis can be triggered remotely by sending a crafted Q.931 SETUP message\nwith a User-User Information Element containing exactly 2 bytes of\nPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with\nthe nf_conntrack_h323 helper active.  The decoder fully consumes the\nPER buffer before reaching this code path, resulting in a 1-2 byte\nheap-buffer-overflow read confirmed by AddressSanitizer.\n\nFix this by checking for 2 bytes (the maximum that get_len() may read)\ninstead of the uninitialized `len`.  This matches the pattern used at\nevery other get_len() call site in the same file, where the caller\nchecks for 2 bytes of available data before calling get_len()."}],"metrics":[{"cvssV3_1":{"baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-05-11T22:20:34.788Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041"},{"url":"https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a"},{"url":"https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead"},{"url":"https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16"},{"url":"https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1"},{"url":"https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129"},{"url":"https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224"},{"url":"https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60"}],"title":"netfilter: nf_conntrack_h323: fix OOB read in decode_choice()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43233","datePublished":"2026-05-06T11:28:29.565Z","dateReserved":"2026-05-01T14:12:55.995Z","dateUpdated":"2026-05-11T22:20:34.788Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:43","lastModifiedDate":"2026-05-12 19:03:56","problem_types":["CWE-125"],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.15.1","versionEndExcluding":"5.10.252","matchCriteriaId":"AF06F1E5-CD8A-4600-A5A6-AC36110965FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.202","matchCriteriaId":"4002FC2B-1456-4666-B240-0EBF590C4671"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.165","matchCriteriaId":"797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.128","matchCriteriaId":"851E9353-6C09-4CC9-877E-E09DB164A3C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.75","matchCriteriaId":"BCE16369-98ED-41CF-8995-DFDC10B288D2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*","matchCriteriaId":"3B4D39AF-668B-442B-8085-639A6D4FA5AC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc4:*:*:*:*:*:*","matchCriteriaId":"EBC4657A-0239-47DF-B582-87D8DFA69439"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc5:*:*:*:*:*:*","matchCriteriaId":"0E1F48A9-9185-4554-9265-22CEC01D18FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc6:*:*:*:*:*:*","matchCriteriaId":"639D2465-65E0-40E2-B7A8-BEA9E221DE54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc7:*:*:*:*:*:*","matchCriteriaId":"A282AD0B-2D63-4F05-8F89-109A0975B423"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc8:*:*:*:*:*:*","matchCriteriaId":"30358221-183C-4699-994E-AF51F5D534FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:4.15:rc9:*:*:*:*:*:*","matchCriteriaId":"A5ED80A8-E656-4AE9-921B-C22402C94A4C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43233","Ordinal":"1","Title":"netfilter: nf_conntrack_h323: fix OOB read in decode_choice()","CVE":"CVE-2026-43233","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43233","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_choice()\n\nIn decode_choice(), the boundary check before get_len() uses the\nvariable `len`, which is still 0 from its initialization at the top of\nthe function:\n\n    unsigned int type, ext, len = 0;\n    ...\n    if (ext || (son->attr & OPEN)) {\n        BYTE_ALIGN(bs);\n        if (nf_h323_error_boundary(bs, len, 0))  /* len is 0 here */\n            return H323_ERROR_BOUND;\n        len = get_len(bs);                        /* OOB read */\n\nWhen the bitstream is exactly consumed (bs->cur == bs->end), the check\nnf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),\nwhich is false.  The subsequent get_len() call then dereferences\n*bs->cur++, reading 1 byte past the end of the buffer.  If that byte\nhas bit 7 set, get_len() reads a second byte as well.\n\nThis can be triggered remotely by sending a crafted Q.931 SETUP message\nwith a User-User Information Element containing exactly 2 bytes of\nPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with\nthe nf_conntrack_h323 helper active.  The decoder fully consumes the\nPER buffer before reaching this code path, resulting in a 1-2 byte\nheap-buffer-overflow read confirmed by AddressSanitizer.\n\nFix this by checking for 2 bytes (the maximum that get_len() may read)\ninstead of the uninitialized `len`.  This matches the pattern used at\nevery other get_len() call site in the same file, where the caller\nchecks for 2 bytes of available data before calling get_len().","Type":"Description","Title":"netfilter: nf_conntrack_h323: fix OOB read in decode_choice()"}]}}}