PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23457 Linux CVE debrief

A vulnerability in the Linux kernel's netfilter SIP connection tracking module (nf_conntrack_sip) allows an attacker to trigger incorrect message boundary parsing in sip_help_tcp(). The root cause is a type mismatch: simple_strtoul() returns unsigned long, but the result is stored in unsigned int clen. On 64-bit systems, Content-Length values exceeding UINT_MAX (e.g., 4294967328) are silently truncated, causing the parser to miscalculate where the current SIP message ends. The loop then incorrectly treats trailing TCP segment data as a second SIP message and processes it through the SDP parser. This can lead to unexpected state in the connection tracker and potential availability impact. The fix changes clen to unsigned long and adds validation to reject Content-Length values exceeding remaining TCP payload length.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators running VoIP/SIP services with netfilter connection tracking enabled; security teams managing kernel attack surface; network engineers responsible for SIP infrastructure availability

Technical summary

The nf_conntrack_sip module's TCP helper (sip_help_tcp()) parses SIP Content-Length headers using simple_strtoul() but stores the result in unsigned int. On 64-bit architectures, this causes truncation of values > UINT_MAX, leading to incorrect message boundary calculation. The parser then misidentifies trailing data as a separate SIP message, potentially causing connection tracking state corruption. The fix promotes clen to unsigned long and adds bounds checking against remaining payload length.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or later stable versions
  • If immediate patching is not possible, consider disabling SIP connection tracking helper (nf_conntrack_sip) if not required for VoIP infrastructure
  • Monitor for kernel updates from distribution vendors for backported fixes
  • Review firewall/netfilter configurations to assess exposure of SIP services to untrusted networks

Evidence notes

CVE published 2026-04-03; NVD analyzed status with CVSS 8.6 HIGH. Multiple stable kernel patches available across affected branches. CPE criteria indicate affected versions from 2.6.34 through multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) and 7.0-rc series.

Official resources

2026-04-03