CVE-2026-23455 PUBLISHED

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to 495e97af9e7249ee02b72bb1d0848a6efc3700f4 (excl.)
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to f5e4f4e4cdb75ec36802059a94195a31f193da60 (excl.)
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to 633e8f87dad32263f6a57dccdb873f042c062111 (excl.)
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to 9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8 (excl.)
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to b652b05d51003ac074b912684f9ec7486231717b (excl.)
  • affected from 5e35941d990123f155b02d5663e51a24f816b6f3 to f173d0f4c0f689173f8cdac79991043a4a89bf66 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.17 is affected
  • unaffected from 0 to 2.6.17 (excl.)
  • unaffected from 6.1.167 to 6.1.* (incl.)
  • unaffected from 6.6.130 to 6.6.* (incl.)
  • unaffected from 6.12.78 to 6.12.* (incl.)
  • unaffected from 6.18.20 to 6.18.* (incl.)
  • unaffected from 6.19.10 to 6.19.* (incl.)
  • unaffected from 7.0-rc5 to * (incl.)

References