Description
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

In decode_choice(), the boundary check before get_len() uses the
variable `len`, which is still 0 from its initialization at the top of
the function:

unsigned int type, ext, len = 0;
...
if (ext || (son->attr & OPEN)) {
BYTE_ALIGN(bs);
if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */
return H323_ERROR_BOUND;
len = get_len(bs); /* OOB read */

When the bitstream is exactly consumed (bs->cur == bs->end), the check
nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),
which is false. The subsequent get_len() call then dereferences
*bs->cur++, reading 1 byte past the end of the buffer. If that byte
has bit 7 set, get_len() reads a second byte as well.

This can be triggered remotely by sending a crafted Q.931 SETUP message
with a User-User Information Element containing exactly 2 bytes of
PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with
the nf_conntrack_h323 helper active. The decoder fully consumes the
PER buffer before reaching this code path, resulting in a 1-2 byte
heap-buffer-overflow read confirmed by AddressSanitizer.

Fix this by checking for 2 bytes (the maximum that get_len() may read)
instead of the uninitialized `len`. This matches the pattern used at
every other get_len() call site in the same file, where the caller
checks for 2 bytes of available data before calling get_len().
Published: 2026-05-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read in the nf_conntrack_h323 helper of the Linux kernel constitutes a CWE‑125 weakness, where an uninitialized length variable causes a boundary check to be performed incorrectly. Additionally, the uninitialized variable itself represents a CWE‑131 weakness. When a Q.931 SETUP packet with a specific User‑User Information Element is received, the decoder’s boundary check fails to detect the end of the buffer, allowing the helper to read one or two bytes beyond the allowed heap region. This can leak adjacent kernel memory contents and can also trigger a kernel crash. While the flaw does not enable arbitrary code execution, the loss of kernel memory integrity and the possibility of a crash compromise confidentiality and availability.

Affected Systems

All Linux kernel builds that contain the nf_conntrack_h323 helper are affected. The vulnerability is present in the generic Linux kernel and is not limited to a specific distribution version. Any kernel that has not applied the patch that corrects the length check before get_len is vulnerable.

Risk and Exploitability

An attacker can trigger the flaw by sending a crafted Q.931 SETUP packet to a host with the nf_conntrack_h323 helper enabled. Because the helper operates in kernel space, the out‑of‑bounds read occurs before user‑space handling. The CVSS score of 8.2 indicates high severity. The EPSS score of < 1% indicates a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. With no authentication required and a purely network‑based trigger, the exploit remains feasible from remote hosts, potentially leading to memory disclosure and kernel crashes that compromise availability.

Generated by OpenCVE AI on May 12, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that contains the nf_conntrack_h323 fix (the patch eliminates the uninitialized length check).
  • Disable the nf_conntrack_h323 helper on systems that do not need H.323 traffic to reduce the attack surface.
  • Block or restrict traffic on port 1720 (H.323) with firewall rules or allow only trusted hosts, thereby preventing crafted packets from reaching the kernel helper.

Generated by OpenCVE AI on May 12, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.15:rc9:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Thu, 07 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len().
Title netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:34.788Z

Reserved: 2026-05-01T14:12:55.995Z

Link: CVE-2026-43233

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:43.417

Modified: 2026-05-12T19:03:56.650

Link: CVE-2026-43233

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43233 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses