PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23456 Linux CVE debrief

A slab-out-of-bounds read vulnerability exists in the Linux kernel's netfilter H.323 connection tracking module. The flaw occurs in decode_int() when processing the CONS (constructed) case: after reading a 2-bit length value via get_bits(), the code calls get_uint() to read 1-4 bytes without verifying that sufficient bytes remain in the buffer. A malformed H.323/RAS packet can trigger a 1-4 byte out-of-bounds read from kernel slab memory. The vulnerability affects Linux kernel versions from 2.6.17 through multiple stable branches, with patches available for 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and later. The CVSS 3.1 score of 8.2 (HIGH) reflects network attack vector with low complexity, no privileges required, and high availability impact. No known exploitation in the wild has been reported, and this vulnerability is not listed in CISA KEV.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators running kernels with netfilter H.323 connection tracking enabled, particularly those hosting or proxying H.323 video conferencing infrastructure. Security teams monitoring for kernel-level denial of service conditions. Organizations with VoIP/video infrastructure using H.323 protocols should prioritize patching. Cloud providers and managed hosting environments should evaluate kernel update schedules for affected versions. Network security teams should assess exposure of H.323 services to external networks.

Technical summary

The vulnerability resides in net/netfilter/nf_conntrack_h323_asn1.c in the decode_int() function. When processing ASN.1 CONS (constructed) encoding, the function reads a 2-bit length field (0-3, mapping to 1-4 bytes) then immediately calls get_uint(bs, len) without checking bs->len. The existing boundary validation only covers the 2 bits for get_bits(), not the subsequent multi-byte read. This allows a remote attacker sending a crafted H.323/RAS packet to trigger a 1-4 byte read beyond the allocated skb buffer into adjacent slab memory. The read primitive is limited but may cause kernel crashes or information disclosure depending on slab layout. The fix adds explicit boundary checks before get_uint() calls.

Defensive priority

HIGH

Recommended defensive actions

  • Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
  • If patching is not immediately feasible, consider disabling H.323 connection tracking via nf_conntrack_h323 module removal where not required
  • Monitor for unexpected kernel crashes or slab corruption errors in systems processing H.323/RAS traffic
  • Review network segmentation to limit exposure of H.323 services to untrusted networks
  • Validate that security monitoring can detect anomalous H.323 packet patterns that may indicate exploitation attempts

Evidence notes

Vulnerability description and patch details sourced from NVD record published 2026-04-03 and modified 2026-05-26. Affected version ranges derived from NVD CPE criteria. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H confirms network attack vector with high availability impact. CWE-125 (Out-of-bounds Read) identified as primary weakness. Eight kernel.org stable branch patches referenced in source metadata.

Official resources

2026-04-03