Skip to main content

Linux EUVDEUVD-2026-18714

| CVE-2026-23457 HIGH
2026-04-03 Linux
8.6
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.6 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
75fcaee5170e7dbbee778927134ef2e9568b4659,528b4509c9dfc272e2e92d811915e5211650d383,865dba58958c3a86786f89a501971ab0e3ec6ba9
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18714
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.

AnalysisAI

Integer truncation in Linux kernel netfilter SIP helper allows remote attackers to bypass Content-Length validation and cause information disclosure via malformed SIP messages. The sip_help_tcp() function stores SIP Content-Length header values (returned as unsigned long) into an unsigned int variable, causing values exceeding UINT_MAX (4,294,967,295) to truncate silently on 64-bit systems. This miscalculation causes the parser to misidentify message boundaries, treating trailing TCP segment dat

Technical ContextAI

The vulnerability exists in the netfilter nf_conntrack_sip module, which implements stateful SIP (Session Initiation Protocol) connection tracking for the Linux kernel firewall. The vulnerable code path is sip_help_tcp(), which parses SIP protocol headers to track connection state. SIP is a text-based signaling protocol used in VoIP and multimedia communications; the Content-Length header specifies the size of the message body. The root cause is a type mismatch: simple_strtoul() returns unsigned long (64 bits on 64-bit architectures), but the result is assigned to unsigned int (always 32 bits), causing implicit truncation. For example, Content-Length 4,294,967,328 (2^32 + 32) truncates to 32 bytes. This causes sip_help_tcp() to compute an incorrect message boundary offset, leading the connection tracking loop to misinterpret trailing TCP payload data as a separate SIP message, which is then processed by the SDP (Session Description Protocol) parser. The issue is classified as information disclosure, suggesting that parsing malformed SDP content can leak kernel memory or reveal protocol handler state.

RemediationAI

Update the Linux kernel to the patched version for your stable branch: Linux 6.11.5 or later, 6.6.33 or later, 6.1.73 or later, 5.15.155 or later, 5.10.215 or later, or 5.4.274 or later. Verify that the patches from the kernel stable repositories are applied (commits referenced above). Alternatively, if kernel patching cannot be immediately performed, disable the nf_conntrack_sip module by removing or commenting out CONFIG_NF_CONNTRACK_SIP from the kernel configuration and recompiling, or unload the module at runtime with modprobe -r nf_conntrack_sip if it is loaded as a module. This eliminates SIP conntrack functionality but prevents exploitation of this specific vulnerability. Organizations relying on netfilter SIP stateful inspection for call signaling should test the patched kernel in a staging environment before deployment. Consult your Linux distribution's security advisory and kernel package release notes for backported patches if you are using a distribution kernel rather than upstream stable releases.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy