8.2

CVE-2026-43233

EPSS 0.07%
Veröffentlicht 06.05.2026 11:28:29
Zuletzt bearbeitet 12.05.2026 19:03:56
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

In decode_choice(), the boundary check before get_len() uses the
variable `len`, which is still 0 from its initialization at the top of
the function:

    unsigned int type, ext, len = 0;
    ...
    if (ext || (son->attr & OPEN)) {
        BYTE_ALIGN(bs);
        if (nf_h323_error_boundary(bs, len, 0))  /* len is 0 here */
            return H323_ERROR_BOUND;
        len = get_len(bs);                        /* OOB read */

When the bitstream is exactly consumed (bs->cur == bs->end), the check
nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),
which is false.  The subsequent get_len() call then dereferences
*bs->cur++, reading 1 byte past the end of the buffer.  If that byte
has bit 7 set, get_len() reads a second byte as well.

This can be triggered remotely by sending a crafted Q.931 SETUP message
with a User-User Information Element containing exactly 2 bytes of
PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with
the nf_conntrack_h323 helper active.  The decoder fully consumes the
PER buffer before reaching this code path, resulting in a 1-2 byte
heap-buffer-overflow read confirmed by AddressSanitizer.

Fix this by checking for 2 bytes (the maximum that get_len() may read)
instead of the uninitialized `len`.  This matches the pattern used at
every other get_len() call site in the same file, where the caller
checks for 2 bytes of available data before calling get_len().

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

NVD 15 VulnDex Vulnerability Enrichment 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.15.1 < 5.10.252

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.202

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6

Linux ≫ Linux Kernel Version4.15 Update-

Linux ≫ Linux Kernel Version4.15 Updaterc4

Linux ≫ Linux Kernel Version4.15 Updaterc5

Linux ≫ Linux Kernel Version4.15 Updaterc6

Linux ≫ Linux Kernel Version4.15 Updaterc7

Linux ≫ Linux Kernel Version4.15 Updaterc8

Linux ≫ Linux Kernel Version4.15 Updaterc9

Linux ≫ Linux Kernel Version7.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.208

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041

Patch

https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a

Patch

https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead

Patch

https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16

Patch

https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1

Patch

https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129

Patch

https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224

Patch

https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-43233

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-43233

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-43233

EUVD