{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23455","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:46.020Z","datePublished":"2026-04-03T15:15:36.869Z","dateUpdated":"2026-04-27T14:02:33.617Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-04-27T14:02:33.617Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_conntrack_h323_asn1.c"],"versions":[{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"2121f5fbe88daff0f1fc5bc47d359426c74b86b0","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"65fa92f79677858b14b9e4b7275f26639afe2710","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"495e97af9e7249ee02b72bb1d0848a6efc3700f4","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"f5e4f4e4cdb75ec36802059a94195a31f193da60","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"633e8f87dad32263f6a57dccdb873f042c062111","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"b652b05d51003ac074b912684f9ec7486231717b","status":"affected","versionType":"git"},{"version":"5e35941d990123f155b02d5663e51a24f816b6f3","lessThan":"f173d0f4c0f689173f8cdac79991043a4a89bf66","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/netfilter/nf_conntrack_h323_asn1.c"],"versions":[{"version":"2.6.17","status":"affected"},{"version":"0","lessThan":"2.6.17","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.20","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.10","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.18.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"6.19.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.17","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0"},{"url":"https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710"},{"url":"https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4"},{"url":"https://git.kernel.org/stable/c/f5e4f4e4cdb75ec36802059a94195a31f193da60"},{"url":"https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111"},{"url":"https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8"},{"url":"https://git.kernel.org/stable/c/b652b05d51003ac074b912684f9ec7486231717b"},{"url":"https://git.kernel.org/stable/c/f173d0f4c0f689173f8cdac79991043a4a89bf66"}],"title":"netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()","x_generator":{"engine":"bippy-1.2.0"}}}}