HIGH
netfilter H323 OOB
CVE-2026-23456
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
KernelScan AI5.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a 1-4 byte slab-out-of-bounds read in the kernel by sending malformed H.323/RAS packets to systems with the netfilter H.323 connection-tracking helper enabled. The disclosure is constrained to a small, attacker-uncontrolled amount of adjacent slab memory and does not allow arbitrary memory read, code execution, or integrity modification. System availability impact is unlikely because the overread is bounded and small.
Vulnerability analysis
The vulnerability exists in the decode_int() function's CONS case. It reads a 2-bit length value using get_bits(bs, 2) and then calls get_uint(bs, len) without verifying that len bytes remain in the bitstream buffer. The existing boundary check only validates the 2 bits for the length field itself, not the subsequent 1-4 bytes that get_uint() reads. The fix adds a boundary check using nf_h323_error_boundary(bs, len, 0) before the read. Because the overread is limited to at most four bytes in a slab allocation, the confidentiality impact is constrained rather than arbitrary.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | a2cd54b9348e |
| 5.15 | 5.15.203 | c95dc674ebf0 |
| 6.1 | 6.1.167 | 41b417ff73a2 |
| 6.12 | 6.12.78 | 774a434f8c9c |
| 6.18 | 6.18.20 | 6bce72daeccc |
| 6.19 | 6.19.10 | fb6c3596823e |
| 6.6 | 6.6.130 | 52235bf88159 |
| mainline | 7.0 | 1e3a3593162c |