{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23455", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.020Z", "datePublished": "2026-04-03T15:15:36.869Z", "dateUpdated": "2026-04-03T15:15:36.869Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:36.869Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "495e97af9e7249ee02b72bb1d0848a6efc3700f4", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "f5e4f4e4cdb75ec36802059a94195a31f193da60", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "633e8f87dad32263f6a57dccdb873f042c062111", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "b652b05d51003ac074b912684f9ec7486231717b", "status": "affected", "versionType": "git"}, {"version": "5e35941d990123f155b02d5663e51a24f816b6f3", "lessThan": "f173d0f4c0f689173f8cdac79991043a4a89bf66", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_h323_asn1.c"], "versions": [{"version": "2.6.17", "status": "affected"}, {"version": "0", "lessThan": "2.6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.17", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"}, {"url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"}, {"url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"}, {"url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"}, {"url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"}, {"url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"}], "title": "netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."}], "id": "CVE-2026-23455", "lastModified": "2026-04-03T16:16:32.123", "metrics": {}, "published": "2026-04-03T16:16:32.123", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()", "id": "2454810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454810"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in the Linux kernel's netfilter subsystem, specifically within the `nf_conntrack_h323` module. This vulnerability occurs in the `DecodeQ931()` function when processing a zero-length value from a packet. An integer underflow during a length calculation results in a large, incorrect value being passed to a subsequent function, leading to an out-of-bounds read. This could allow an attacker to cause a denial of service or potentially disclose sensitive information."], "name": "CVE-2026-23455", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23455\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23455\nhttps://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23455-f045@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,495e97af9e7249ee02b72bb1d0848a6efc3700f4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,f5e4f4e4cdb75ec36802059a94195a31f193da60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,633e8f87dad32263f6a57dccdb873f042c062111)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,b652b05d51003ac074b912684f9ec7486231717b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5e35941d990123f155b02d5663e51a24f816b6f3,f173d0f4c0f689173f8cdac79991043a4a89bf66)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,2.6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:45:37.577553+00:00", "value": {"mitigation_remediation": ["Apply the latest kernel update that includes the nf_conntrack_h323 bounds check.", "Verify that the patch has been applied by checking the kernel version or reviewing the nf_conntrack_h323 source to confirm the length check.", "If immediate update is not possible, consider limiting exposure to H.323 traffic by firewalling or disabling nf_conntrack_h323 if it is unnecessary."], "summary": {"action": "Immediate Patch", "impact": "Out-of-Bounds Read leading to information disclosure or denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that contain the nf_conntrack_h323 module are potentially affected, as the advisory lists the vendor as Linux:Linux and does not provide specific version ranges. Any kernel that has not yet incorporated the bounds-check fix is vulnerable. Administrators should consult vendor release notes for the patch details.", "description_and_impact": "The flaw is in the nf_conntrack_h323 module of the Linux kernel; the Q931 decoder reads a length field and subtracts one for the protocol discriminator without ensuring the result is positive. If the encoded length is zero, the subtraction underflows and the decoder uses a very large value, causing an out-of-bounds read of kernel memory. This can reveal sensitive data and potentially crash the kernel, leading to denial of service or privilege escalation. The vulnerability is an example of an out-of-bounds read (CWE-125).", "risk_and_exploitability": "The CVSS score and EPSS rating are not available, and the issue is not listed in the CISA KEV catalog. An attacker would need to send a crafted H.323 packet to a host that is tracking H.323 connections via nf_conntrack_h323. While no public exploit is known, the low complexity of sending a malformed packet means the risk is moderate; a successful out-of-bounds read could trigger a kernel crash or disclose memory contents. Updating the kernel removes the vulnerability entirely."}}}}, "created": "2026-04-03T21:13:43.254417+00:00", "updated": "2026-04-03T21:15:57.320407+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-125"]}