CVE-2026-23455

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2026-23455 RHSA-2026:21556 RHSA-2026:21557 RHSA-2026:21706 RHSA-2026:21745 UBUNTU-CVE-2026-23455

Analyzed

Published: 03 Apr 2026, 15:15

Last modified:11 May 2026, 22:07

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (cve.org)

EPSS Score

0.07% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

03 Apr 2026, 15:15

Published

Vulnerability first disclosed

11 May 2026, 22:07

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.

CVSS Metrics

v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.07%• Percentile: 23%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

linux•linux
≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < 2121f5fbe88daff0f1fc5bc47d359426c74b86b0 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < 65fa92f79677858b14b9e4b7275f26639afe2710 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < 495e97af9e7249ee02b72bb1d0848a6efc3700f4 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < f5e4f4e4cdb75ec36802059a94195a31f193da60 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < 633e8f87dad32263f6a57dccdb873f042c062111 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < 9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8 | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < b652b05d51003ac074b912684f9ec7486231717b | ≥ 5e35941d990123f155b02d5663e51a24f816b6f3, < f173d0f4c0f689173f8cdac79991043a4a89bf66 | 2.6.17
linux•linux_kernel
≥ 2.6.17, < 5.10.253 | ≥ 5.11, < 5.15.203 | ≥ 5.16, < 6.1.167 | ≥ 6.2, < 6.6.130 | ≥ 6.7, < 6.12.78 | ≥ 6.13, < 6.18.20 | ≥ 6.19, < 6.19.10 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4