CVE-2026-23457 - Vulnerability Details

- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.

Published: 2026-04-03

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s nf_conntrack_sip module parses the SIP Content‑Length header using simple_strtoul(), which returns an unsigned long, but stores the value in an unsigned int. On 64‑bit systems this silently truncates numbers that exceed the 32‑bit unsigned maximum. When a Content‑Length value such as 2^32+32 is truncated to 32, the kernel miscalculates the end of the SIP message. The parser then treats the remaining data in the TCP segment as a second SIP message and forwards it to the SDP parser, potentially corrupting state or exhausting resources, resulting in a denial of service or unpredictable application behavior. Based on the description, it is inferred that an attacker can craft SIP packets with oversized Content‑Length headers, sending them over the network to a vulnerable kernel. This attack does not require local privileges and relies solely on malformed SIP traffic to trigger the bug. The flaw is an integer truncation error (CWE‑681) that directly impacts the integrity of SIP message parsing. The kernel does not perform validation against the remaining TCP payload, which allows the attacker to manipulate the parsing boundary arbitrarily.

Affected Systems

All Linux kernel releases that include the nf_conntrack_sip module and have not applied the upstream fix are affected. The kernel version list provided (complete e.g., 7.0 releases and earlier) indicates that the vulnerability exists across multiple generations of the kernel until the patch is merged. No specific software vendor or distribution is enumerated beyond the generic Linux kernel. This includes systems running on 64‑bit architectures, as the truncation occurs only on those platforms. No version ranges are supplied in the CNA data, so the recommendation is that any kernel build that incorporates nf_conntrack_sip and predates the merged patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.6 demonstrates high severity, while the EPSS score of < 1% indicates a very low but non-zero probability that the vulnerability will see real‑world exploitation. The flaw is not listed in the CISA KEV catalog. Attackers could exploit the issue remotely, simply by sending specially crafted SIP traffic to a vulnerable host. No user interaction or local privileges are needed, and the exploitation path is straightforward: receive malicious SIP packets containing an oversized Content‑Length header and trigger the integer truncation bug which in turn leads to denial of service or application corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< ed81b6a7012485acdb9c6c80735a0b7d8e5e1873
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< b75209debb9adab287b3caa982f77788c1e15027
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 528b4509c9dfc272e2e92d811915e5211650d383
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 75fcaee5170e7dbbee778927134ef2e9568b4659
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< 865dba58958c3a86786f89a501971ab0e3ec6ba9
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< d4f17256544cc37f6534a14a27a9dec3540c2015
`f5b321bd37fbec9188feb1f721ab46a5ac0b35da`	affected	< fbce58e719a17aa215c724473fd5baaa4a8dc57c

Linux

affected

Version	Status	Constraints
`2.6.34`	affected	—
`0`	unaffected	< 2.6.34
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,b75209debb9adab287b3caa982f77788c1e15027)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,528b4509c9dfc272e2e92d811915e5211650d383)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,75fcaee5170e7dbbee778927134ef2e9568b4659)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,865dba58958c3a86786f89a501971ab0e3ec6ba9)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,d4f17256544cc37f6534a14a27a9dec3540c2015)`	affected	code_commit	—
`[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,fbce58e719a17aa215c724473fd5baaa4a8dc57c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.34`	affected	semver	—
`[0,2.6.34)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that changes the clen variable to unsigned long and rejects Content‑Length values that exceed the remaining TCP payload.
Upgrade to a kernel version that incorporates this fix, such as the latest stable or distribution‑specific update with the merged changes.
If an immediate upgrade is not possible, consider temporarily disabling SIP support in nf_conntrack or filtering SIP traffic with a firewall to block packets containing excessively large Content‑Length headers.

Generated by OpenCVE AI on May 26, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00108.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383
https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659
https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9
https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027
https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f
https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015
https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873
https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c
https://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23457
https://www.cve.org/CVERecord?id=CVE-2026-23457

History

Tue, 26 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}`

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-681
References		https://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23457 https://www.cve.org/CVERecord?id=CVE-2026-23457
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
Title		netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383 https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659 https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9 https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027 https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015 https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:38.193Z

Updated: 2026-05-11T22:07:21.559Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23457

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-03T16:16:32.473

Modified: 2026-05-26T14:40:03.880

Link: CVE-2026-23457

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23457 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object