Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read
Action: Patch promptly
AI Analysis

Impact

The nf_conntrack_h323 module in the Linux kernel contains a flaw in DecodeQ931(). The function reads a 16‑bit length from the packet, decrements it to skip a protocol discriminator byte, and passes the result to DecodeH323_UserInformation(). If the original length is zero, the decrement underflows to –1, which the decoder interprets as a large positive number, leading to an out-of-bounds read into kernel memory. The attacker can trigger the wrap by sending a crafted H.323 packet. The vulnerability allows an attacker to read arbitrary kernel memory without executing code or causing a crash.

Affected Systems

All Linux kernel releases that include the nf_conntrack_h323 module and lack the commit adding the zero‑length check are vulnerable. Vendor: Linux. Product: Linux kernel. Specific affected versions are not enumerated in the advisory; any kernel prior to the patch that processes H.323 traffic via nf_conntrack is susceptible.

Risk and Exploitability

The CVSS v3 score of 9.1 indicates medium‑to‑high severity. The EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, suggesting a low probability of exploitation. The flaw is reachable over the network, as the nf_conntrack module processes inbound H.323 traffic. An attacker who can inject crafted packets to the target can trigger the out-of-bounds read, leading to possible information disclosure. No privilege escalation, code execution, or denial of service is achieved.

Generated by OpenCVE AI on April 28, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Linux kernel version that includes the zero‑length check commit.
  • If an update cannot be applied immediately, isolate the system or block H.323 traffic until the patch is applied.
  • Monitor vendor advisories and apply the fix as soon as it is released.

Generated by OpenCVE AI on April 28, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.
Title netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:33.617Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:32.123

Modified: 2026-04-27T14:16:33.940

Link: CVE-2026-23455

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses