CRITICAL Published 2026-04-03

netfilter H323 OOB

CVE-2026-23455

CVSS 9.1 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

KernelScan AI8.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote attackers can trigger an out-of-bounds read in the H.323 connection tracking helper by sending malformed H.323 Q.931 packets with a zero-length UserUserIE field. An integer underflow causes an extremely large length value to be passed to the decoder, leading to a kernel panic when unmapped pages are touched. Limited kernel heap data may be disclosed prior to the crash.

Affectednet/netfilter/nf_conntrack_h323_asn1.c (netfilter)

Vulnerability analysis

The vulnerability occurs in DecodeQ931() when processing H.323 Q.931 packets in the netfilter conntrack helper. The code reads a 16-bit length field from the packet and decrements it by 1 to skip the protocol discriminator byte. If the original length is 0, the decrement causes an integer underflow, wrapping to -1 (or a very large value when interpreted as size_t), which is then passed to DecodeH323_UserInformation() as the buffer size. This leads to an out-of-bounds read beyond the allocated packet buffer. Because the resulting length is effectively unbounded, the read will traverse kernel heap memory until it hits an unmapped page, triggering a kernel panic. A limited amount of slab memory may be leaked before the crash. The attack surface is network-facing because H.323 Q.931 traffic is processed over TCP by netfilter conntrack when packets traverse the system.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`2121f5fbe88d`
5.15	5.15.203	`65fa92f79677`
6.1	6.1.167	`495e97af9e72`
6.12	6.12.78	`633e8f87dad3`
6.18	6.18.20	`9d00fe7d6d7c`
6.19	6.19.10	`b652b05d5100`
6.6	6.6.130	`f5e4f4e4cdb7`
mainline	7.0	`f173d0f4c0f6`