CVE-2024-26851 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running affected kernel branches should care, especially where H.323 connection tracking is enabled or could be reached through packet processing on exposed systems.

Technical summary

According to the CVE description, abnormal skb data can cause the H.323 RAS message decoder in net/netfilter/nf_conntrack_h323_asn1.c to accumulate an extension bitmap length greater than 32. That length is then used in a shift operation, and after repeated looping the value can become negative, leading to an out-of-bounds/undefined bitwise shift reported by UBSAN. The remediation adds protection to reject lengths that exceed the valid range and abort decoding with an out-of-range error. NVD classifies the issue as CWE-787 and rates it CVSS 3.1 5.5/Medium with AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Medium

Recommended defensive actions

• Apply the Linux kernel fix from the referenced stable patches and update to a release that includes the remediation.
• Verify which deployed kernel branches are in the affected ranges listed by NVD, including the listed 4.x, 5.x, 6.x, and 6.8-rc builds.
• Prioritize patching systems that run H.323 conntrack support and are exposed to untrusted traffic paths.
• Use vendor and distribution advisories to confirm backport status for your specific kernel build.
• After patching, validate that the running kernel contains the corrected nf_conntrack_h323 ASN.1 decoder behavior.

Evidence notes

The CVE record was published on 2024-04-17 and last modified on 2026-05-12. The supplied NVD description states that the H.323 conntrack decoder can hit a UBSAN shift issue when bitmap length exceeds 32 and that the fix adds protection to stop out-of-range lengths. NVD lists CWE-787 and CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. NVD also provides affected Linux kernel CPE ranges and references multiple kernel stable patch links.

Official resources