CVE-2026-23455 Linux CVE debrief

Who should care

Linux system administrators, network security engineers, telecommunications infrastructure operators using H.323 protocols, kernel maintainers, and organizations running VoIP or video conferencing systems that rely on H.323 connection tracking.

Technical summary

The vulnerability resides in net/netfilter/nf_conntrack_h323_main.c in the DecodeQ931() function. When processing Q.931 User-User Information Elements (IE), the code reads a 16-bit length field and decrements it by 1 to account for the protocol discriminator byte. The absence of a check for zero length before this decrement causes an integer underflow, resulting in a very large length value being passed to the ASN.1 decoder (DecodeH323_UserInformation()). This leads to out-of-bounds memory access when the decoder attempts to read beyond packet boundaries. The fix adds a validation check to ensure the length remains positive after decrement.

Defensive priority

critical

Recommended defensive actions

• Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
• If patching is not immediately feasible, consider disabling H.323 connection tracking helper (nf_conntrack_h323) if not required for operations
• Monitor for kernel updates from distribution maintainers for backported fixes
• Review network segmentation to limit exposure of H.323 services where possible
• Validate that security monitoring can detect anomalous H.323/Q.931 traffic patterns

Evidence notes

Vulnerability description sourced from NVD CVE record published 2026-04-03 and modified 2026-05-26. Root cause confirmed by kernel patch commits adding length validation check. CWE-125 (Out-of-bounds Read) assigned by NVD. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H indicates network attack vector with low complexity, no privileges required, and high impact to confidentiality and availability.

Official resources