Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

In decode_int(), the CONS case calls get_bits(bs, 2) to read a length
value, then calls get_uint(bs, len) without checking that len bytes
remain in the buffer. The existing boundary check only validates the
2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()
reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte
slab-out-of-bounds read.

Add a boundary check for len bytes after get_bits() and before
get_uint().
Published: 2026-04-03
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The nf_conntrack_h323 module in the Linux kernel contains a boundary‑check failure in its decode_int() routine. In the CONS case, the routine reads a length value with get_bits(bs,2) and then calls get_uint(bs,len) without validating that len bytes remain on the buffer. This omission permits a crafted H.323/RAS packet to trigger a 1–4 byte out‑of‑bounds read from kernel memory. The flaw is a CWE‑125 boundary‑check failure that can expose privileged kernel data to a remote attacker.

Affected Systems

The vulnerability is present in the Linux kernel for all distributions that ship with the nf_conntrack_h323 conntrack module and that have not yet incorporated the patch. The CNA entry lists only Linux:Linux, and no specific versions are enumerated, so every kernel prior to the commit that introduced the boundary check is affected. Users should verify whether their running kernel matches the repositories referenced in the advisory to determine vulnerability status.

Risk and Exploitability

The CVSS v3 score of 8.2 indicates high severity. The EPSS score is less than 1%, implying a very low likelihood of exploitation in the wild, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to inject a malformed H.323 packet into the network interface that the kernel processes, so remote access to that interface is needed. Because the read is small, the immediate impact is information disclosure, but the data leaked could aid more complex attacks, so the overall risk remains significant for exposed systems. The likely attack vector is inferred to be a remote network attacker sending crafted H.323 traffic to the target. The vulnerability does not provide a code execution path by itself.

Generated by OpenCVE AI on April 28, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel version that includes the patch for this issue
  • If upgrading is not feasible, disable the nf_conntrack_h323 module or unload all H.323 conntrack modules to prevent processing of H.323 traffic
  • Configure network filtering or firewall rules to reject malformed H.323 packets from untrusted sources
  • Monitor system logs for anomalous H.323 activity and investigate any unexpected traffic

Generated by OpenCVE AI on April 28, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().
Title netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:34.715Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23456

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:32.300

Modified: 2026-04-27T14:16:34.073

Link: CVE-2026-23456

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23456 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses