Skip to main content

Linux CVE-2026-23455

| EUVDEUVD-2026-18711 CRITICAL
Out-of-bounds Read (CWE-125)
2026-04-03 Linux GHSA-gm78-p64f-gx97
Critical
Disputed · 9.1 Vendor: Linux
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (Linux) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.1 (CRITICAL)
Patch available
Apr 16, 2026 - 05:29 EUVD
9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8,495e97af9e7249ee02b72bb1d0848a6efc3700f4,633e8f87dad32263f6a57dccdb873f042c062111
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18711
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

AnalysisAI

Out-of-bounds read in Linux kernel netfilter nf_conntrack_h323 DecodeQ931() function allows remote attackers to trigger a kernel memory disclosure or denial of service by sending a specially crafted H.323 packet with zero-length UserUserIE field, causing integer underflow when a 16-bit length value is decremented without validation. No public exploit code identified at time of analysis, and CVSS severity not quantified in available data.

Technical ContextAI

The vulnerability exists in the netfilter connection tracking subsystem for H.323 protocol (nf_conntrack_h323), specifically in the DecodeQ931() function which parses Q.931 signaling messages. The H.323 protocol uses Q.931 for call control, and the UserUserIE (User-User Information Element) field contains a 16-bit length prefix. The code decrements this length by 1 to skip the protocol discriminator byte before passing the remaining data to DecodeH323_UserInformation(). When the encoded length in the packet is exactly 0, the decrement operation causes an integer underflow, wrapping the unsigned 16-bit value to 65535 (0xFFFF). This large value is then used as a size parameter to read kernel memory, resulting in an out-of-bounds read beyond allocated buffer boundaries. The root cause is insufficient input validation (CWE-680: Integer Overflow to Buffer Overflow) combined with improper length handling in a packet parsing routine. Affected systems run Linux kernels with the vulnerable nf_conntrack_h323 module active, typically in firewall/NAT configurations.

RemediationAI

Update to patched Linux kernel versions. The upstream fix is available in kernel commits referenced above; users should upgrade to the latest stable version in their respective kernel series (5.15, 5.10, 6.1, 6.6, 6.7, or 6.8+). For immediate mitigation on systems where nf_conntrack_h323 module is not required, disable the module by blacklisting it in modprobe configuration or removing it from the kernel at compile time. Users unable to upgrade immediately can restrict H.323 traffic at the network perimeter (firewall rules blocking H.323 port 1720 and RAS ports) to reduce exposure. Consult your Linux distribution's security advisory for the specific patched kernel version available for your platform.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy