9.1

CVE-2026-23455

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.17 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.167
LinuxLinux Kernel Version >= 6.2 < 6.6.130
LinuxLinux Kernel Version >= 6.7 < 6.12.78
LinuxLinux Kernel Version >= 6.13 < 6.18.20
LinuxLinux Kernel Version >= 6.19 < 6.19.10
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.51% 0.396
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4
Patch
https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60
Patch
https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111
Patch
https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8
Patch
https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b
Patch
https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66
Patch
https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0
Patch
https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710
Patch