Skip to main content

Linux CVE-2026-23456

| EUVDEUVD-2026-18712 HIGH
Out-of-bounds Read (CWE-125)
2026-04-03 Linux
8.2
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.2 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
1e3a3593162c96e8a8de48b1e14f60c3b57fca8a,6bce72daeccca9aa1746e92d6c3d4784e71f2ebb,52235bf88159a1ef16434ab49e47e99c8a09ab20
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18712
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.

Add a boundary check for len bytes after get_bits() and before get_uint().

AnalysisAI

Out-of-bounds read in Linux kernel netfilter H.323/RAS packet decoding allows local or remote attackers to read 1-4 bytes beyond allocated buffer boundaries via malformed packets. The vulnerability exists in decode_int() within nf_conntrack_h323, where insufficient boundary validation before reading variable-length integer fields permits information disclosure or potential denial of service. No CVSS score or KEV status published; patch available across multiple stable kernel branches via upstream commits.

Technical ContextAI

The vulnerability resides in the H.323/RAS protocol handler within Linux kernel's netfilter connection tracking module (nf_conntrack_h323). H.323 is a VoIP signaling protocol that uses ASN.1 encoding; the decode_int() function parses ASN.1 constructed (CONS) integer values. The function calls get_bits(bs, 2) to extract a 2-bit length field, then immediately calls get_uint(bs, len) to read the subsequent variable-length integer without validating that len bytes remain in the input buffer. The existing boundary check validates only the 2-bit read, creating a classic out-of-bounds (OOB) condition when len exceeds available buffer space. The root cause is insufficient input validation (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer / CWE-125: Out-of-bounds Read). Affected CPE: Linux kernel all versions prior to patched releases.

RemediationAI

Patch the Linux kernel via stable branch updates containing the boundary validation fix. The upstream commits referenced above (41b417ff, 52235bf8, 774a434f, 6bce72da, fb6c359, 1e3a359) add explicit buffer length checks in decode_int() before the get_uint() call. Users should apply kernel updates from their distribution or compile a patched kernel from linux.git stable branches. Interim mitigation: disable H.323 connection tracking if not required by unloading nf_conntrack_h323 module (rmmod nf_conntrack_h323), restrict H.323/RAS traffic via firewall rules, or isolate systems handling H.323 signaling to trusted networks. Detailed patch guidance is available at https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d and related stable branch commits.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy