CVE-2026-52986 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: don't use simple_strtoul

Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),
and ct_sip_parse_request() with a new sip_parse_port() helper that
validates each digit against the buffer limit, eliminating the use of
simple_strtoul() which assumes NUL-terminated strings.

The previous code dereferenced pointers without bounds checks after
sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated
skb data. A port that reaches the buffer limit without a trailing
character is also rejected as malformed.

Also get rid of all simple_strtoul() usage in conntrack, prefer a
stricter version instead. There are intentional changes:

- Bail out if number is > UINT_MAX and indicate a failure, same for
too long sequences.
While we do accept 05535 as port 5535, we will not accept e.g.
'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261,
we should restrict this to not waste cycles when presented with
malformed packets with 64k '0' characters.

- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch
'expire=' and 'rports='; both are expected to use base-10.

- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k
range.

- epaddr_len now returns 0 if the port is invalid, as it already does
for invalid ip addresses. This is intentional. nf_conntrack_sip
performs lots of guesswork to find the right parts of the message
to parse. Being stricter could break existing setups.
Connection tracking helpers are designed to allow traffic to
pass, not to block it.

Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, parsing of SIP port numbers previously used simple_strtoul, which assumes NUL‑terminated strings and performs no bounds checking after skb data extraction. This could lead to memory corruption or kernel crashes when receiving malformed SIP packets. The patch replaces these calls with a stricter helper that validates each digit against buffer limits, ensures numbers stay within UINT_MAX, and rejects excessively long sequences. By securing this parsing logic, the kernel no longer risks out‑of‑bounds reads or integer overflows caused by malformed input, preventing a potential denial‑of‑service condition.

Affected Systems

The vulnerability exists in the nf_conntrack_sip helper used by the Linux kernel's netfilter subsystem. All kernel versions that include the nf_conntrack_sip module and contain the old parsing code are impacted. The affected products are generic Linux kernels; specific versions are not listed in the CVE data. Systems that process SIP traffic through netfilter conntrack should update to a kernel version that includes the patch.

Risk and Exploitability

Without a publicly published CVSS score, the exact severity is unspecified, but the use of unbounded parsing suggests a moderate to high risk for a kernel panic. Exploitation would likely involve sending crafted SIP packets over the network to a vulnerable host. EPSS data is unavailable, and the issue is not tracked in CISA KEV, indicating no known widespread exploitation as of the data release. Operators should treat this as a potential denial‑of‑service threat and apply the kernel update promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 8cd0358379570003659186706e077929d6930c40
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 9c6afcb1c3cbb2c0da65b8515ac14d7273872f84
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< b3264c977e79d8a25778d4fd11520f00fea1329c
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< ea2ecd29b8f4433e52607192ca91084f95787ca0
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 9f69c323ae0ab517e595c2cc74e0ae0d9d085611
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 7df9863bf538a626e8a684e59cb2c43eac0ef3c8
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 523762e3b6933fff81f01dfa3c60c0774044cdab
`05e3ced297fe755093140e7487e292fb7603316e`	affected	< 8cf6809cddcbe301aedfc6b51bcd4944d45795f6

Linux

affected

Version	Status	Constraints
`2.6.26`	affected	—
`0`	unaffected	< 2.6.26
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a kernel incorporating the nf_conntrack_sip parsing fix.
If an immediate update is not possible, disable the nf_conntrack_sip helper or block SIP traffic at the network perimeter to mitigate.
Verify that port validation logic rejects malformed ports; if custom SIP proxies are in use, ensure they use base‑10 parsing and reject ports outside the 1k‑64k range.

Generated by OpenCVE AI on June 24, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/523762e3b6933fff81f01dfa3c60c0774044cdab
https://git.kernel.org/stable/c/7df9863bf538a626e8a684e59cb2c43eac0ef3c8
https://git.kernel.org/stable/c/8cd0358379570003659186706e077929d6930c40
https://git.kernel.org/stable/c/8cf6809cddcbe301aedfc6b51bcd4944d45795f6
https://git.kernel.org/stable/c/9c6afcb1c3cbb2c0da65b8515ac14d7273872f84
https://git.kernel.org/stable/c/9f69c323ae0ab517e595c2cc74e0ae0d9d085611
https://git.kernel.org/stable/c/b3264c977e79d8a25778d4fd11520f00fea1329c
https://git.kernel.org/stable/c/ea2ecd29b8f4433e52607192ca91084f95787ca0

History

Wed, 24 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120 CWE-190

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: don't use simple_strtoul Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_parse_port() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings. The previous code dereferenced pointers without bounds checks after sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed. Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes: - Bail out if number is > UINT_MAX and indicate a failure, same for too long sequences. While we do accept 05535 as port 5535, we will not accept e.g. 'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261, we should restrict this to not waste cycles when presented with malformed packets with 64k '0' characters. - Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch 'expire=' and 'rports='; both are expected to use base-10. - In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k range. - epaddr_len now returns 0 if the port is invalid, as it already does for invalid ip addresses. This is intentional. nf_conntrack_sip performs lots of guesswork to find the right parts of the message to parse. Being stricter could break existing setups. Connection tracking helpers are designed to allow traffic to pass, not to block it. Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.
Title		netfilter: nf_conntrack_sip: don't use simple_strtoul
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/523762e3b6933fff81f01dfa3c60c0774044cdab https://git.kernel.org/stable/c/7df9863bf538a626e8a684e59cb2c43eac0ef3c8 https://git.kernel.org/stable/c/8cd0358379570003659186706e077929d6930c40 https://git.kernel.org/stable/c/8cf6809cddcbe301aedfc6b51bcd4944d45795f6 https://git.kernel.org/stable/c/9c6afcb1c3cbb2c0da65b8515ac14d7273872f84 https://git.kernel.org/stable/c/9f69c323ae0ab517e595c2cc74e0ae0d9d085611 https://git.kernel.org/stable/c/b3264c977e79d8a25778d4fd11520f00fea1329c https://git.kernel.org/stable/c/ea2ecd29b8f4433e52607192ca91084f95787ca0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:00.752Z

Updated: 2026-06-24T16:29:00.752Z

Reserved: 2026-06-09T07:44:35.376Z

Link: CVE-2026-52986

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object