Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
In decode_choice(), the boundary check before get_len() uses the variable len, which is still 0 from its initialization at the top of the function:
unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */
When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well.
This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer.
Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized len. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len().
AnalysisAI
Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).
Technical ContextAI
The nf_conntrack_h323 module performs stateful inspection of H.323 VoIP protocol traffic, decoding ASN.1 PER-encoded User-User Information Elements in Q.931 signaling messages. The flaw exists in decode_choice() where boundary validation uses an uninitialized local variable (len=0) before calling get_len() to read variable-length ASN.1 data. When the bitstream parser reaches exact end-of-buffer (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) incorrectly passes because (bs->cur + 0 > bs->end) evaluates false. The subsequent get_len() unconditionally dereferences *bs->cur++, reading one byte beyond allocated memory, and potentially a second byte if bit 7 is set in the out-of-bounds data. This represents a classic off-by-one boundary condition in ASN.1 parsing logic. CPE data indicates vulnerability present in Linux kernel since at least version 4.15 through pre-patch mainline builds.
RemediationAI
Apply vendor-released patches immediately for systems using H.323 connection tracking: upgrade to Linux kernel 5.10.252+ (LTS), 5.15.202+ (LTS), 6.1.165+ (LTS), 6.6.128+ (stable), 6.12.75+ (stable), 6.18.16+ (stable), 6.19.6+ (stable), or mainline 7.0+. Patches available from git.kernel.org stable branches. If immediate patching is infeasible, disable the nf_conntrack_h323 kernel module via 'rmmod nf_conntrack_h323' (requires no active H.323 sessions) or blacklist at boot with 'echo "blacklist nf_conntrack_h323" > /etc/modprobe.d/h323-blacklist.conf' and reboot - this breaks H.323 connection tracking but eliminates attack surface. For iptables/nftables firewalls, remove explicit helper assignment rules (e.g., 'CT helper h323') if present. Note that disabling the helper may break legitimate H.323 VoIP deployments expecting NAT traversal assistance. Verify H.323 usage in your environment before applying workarounds; most modern VoIP uses SIP rather than legacy H.323. Mitigation trade-off: disabling module eliminates vulnerability but breaks stateful inspection for H.323, potentially affecting VoIP call setup through NAT/firewall.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27794
GHSA-qx8f-4v7p-9m35