CVE-2026-23457 - Vulnerability Details

- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.

Published: 2026-04-03

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the SIP Content-Length header parsing logic within the Linux kernel’s netfilter connection tracking module. The parser converts the header value using an unsigned long return type but stores it in an unsigned int. On 64‑bit systems, values larger than the maximum 32‑bit unsigned int are silently truncated, which causes the module to miscalculate the true end of the SIP message. As a result, trailing data in the TCP segment is interpreted as a second SIP message and passed to the SDP parser. The impact is that an attacker can send crafted SIP traffic that may be mishandled, potentially leading to denial of service or unexpected behavior within applications that rely on SIP parsing.

Affected Systems

The flaw is present in the Linux kernel’s netfilter nf_conntrack_sip implementation. All Linux kernel builds that include this module and have not applied the upstream patch are susceptible. No specific kernel version range was listed, so the risk applies to all affected releases before the fix was merged.

Risk and Exploitability

This is an integer truncation weakness categorized as CWE‑681. The CVSS score of 7.0 indicates a high severity. An attacker can exploit this by sending large Content‑Length values over TCP to a target running the vulnerable kernel. The attack vector is network‑based and does not require privileged access. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that while exploitability is feasible, it may be less frequently observed in the wild.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< ed81b6a7012485acdb9c6c80735a0b7d8e5e1873
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< b75209debb9adab287b3caa982f77788c1e15027
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 528b4509c9dfc272e2e92d811915e5211650d383
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 75fcaee5170e7dbbee778927134ef2e9568b4659
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 865dba58958c3a86786f89a501971ab0e3ec6ba9
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< d4f17256544cc37f6534a14a27a9dec3540c2015
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< fbce58e719a17aa215c724473fd5baaa4a8dc57c

Linux

affected

Version	Status	Constraints
`2.6.34`	affected	—
`0`	unaffected	< 2.6.34
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,b75209debb9adab287b3caa982f77788c1e15027)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,528b4509c9dfc272e2e92d811915e5211650d383)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,75fcaee5170e7dbbee778927134ef2e9568b4659)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,865dba58958c3a86786f89a501971ab0e3ec6ba9)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,d4f17256544cc37f6534a14a27a9dec3540c2015)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,fbce58e719a17aa215c724473fd5baaa4a8dc57c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.34`	affected	semver	—
`[0,2.6.34)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that changes clen to unsigned long and rejects oversized Content‑Length values.

Generated by OpenCVE AI on April 4, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383
https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659
https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9
https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027
https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f
https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015
https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873
https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c
https://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23457
https://www.cve.org/CVERecord?id=CVE-2026-23457

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-681
References		https://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23457 https://www.cve.org/CVERecord?id=CVE-2026-23457
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
Title		netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383 https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659 https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9 https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027 https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015 https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:38.193Z

Updated: 2026-04-18T08:59:06.832Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23457

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:32.473

Modified: 2026-04-18T09:16:28.333

Link: CVE-2026-23457

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23457 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-07T07:17:22Z

Weaknesses

CWE-681

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object