Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.
Published: 2026-04-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via SIP parsing error
Action: Apply patch
AI Analysis

Impact

The flaw is in the Linux kernel’s netfilter nf_conntrack_sip module, where the SIP Content-Length header is parsed with simple_strtoul() and the result is stored in an unsigned int. On 64‑bit systems, values larger than 32‑bit unsigned limits are silently truncated, leading the parser to miscompute message boundaries. An attacker can send a Content-Length value above 2^32, causing the module to treat trailing data as a second SIP message and forward it to the SDP parser. This misprocessing can exhaust resources or corrupt state, causing a denial of service or unpredictable SIP handling in applications that rely on the kernel. The weakness is an integer truncation (CWE‑681).

Affected Systems

The issue is present in all Linux kernel builds that include the nf_conntrack_sip module and have not incorporated the upstream fix. No specific kernel version range is listed, so the vulnerability applies to all affected releases before the merge of the patch.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity. EPSS indicates a very low but non‑zero exploitation probability (< 1 %). The flaw is not listed in the CISA KEV catalog. An attacker can exploit it over the network by sending crafted SIP packets containing an oversized Content-Length header. No local privileges are required and the attack path is straightforward, involving only the reception of malformed SIP traffic to a vulnerable kernel.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that changes the clen variable to unsigned long and rejects Content‑Length values that exceed the remaining TCP payload.
  • Upgrade the Linux kernel to a version that includes this fix (e.g., the latest stable or distribution‑specific update with the merged changes).
  • If an update is not yet available, consider temporarily disabling SIP support in nf_conntrack or filtering SIP traffic with a firewall to block packets containing excessively large Content‑Length headers.

Generated by OpenCVE AI on April 28, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-681
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
Title netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:07:21.559Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23457

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:32.473

Modified: 2026-04-27T14:16:34.210

Link: CVE-2026-23457

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23457 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:45:06Z

Weaknesses