Cyber Resilience

CVE-2026-23455

Critical

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0051 39.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23455 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23455 is an out-of-bounds read vulnerability in the Linux kernel's netfilter nf_conntrack_h323 subsystem, specifically within the DecodeQ931() function. The issue arises when processing the UserUserIE code path: the function reads a 16-bit length from the packet, decrements it by 1 to account for the protocol discriminator byte, and passes the result to DecodeH323_UserInformation(). If the encoded length is zero, the decrement causes an underflow to -1, interpreted as a large unsigned value, leading to an out-of-bounds read. It affects Linux kernel versions with the nf_conntrack_h323 module loaded for H.323 protocol connection tracking, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network by sending crafted H.323 packets containing a zero-length UserUserIE field. No user interaction or privileges are required, and the attack has low complexity. Successful exploitation triggers the out-of-bounds read, potentially resulting in high-impact confidentiality loss through information disclosure or high-impact availability disruption, such as kernel crashes or denial of service.

Mitigation requires updating to a patched Linux kernel version. The fix adds a check in DecodeQ931() to ensure the length remains positive after decrementing, as implemented in stable kernel commits including https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0, https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4, https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111, https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710, and https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol…

more

discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation via crafted H.323 packets directly matches T1190 (Exploit Public-Facing Application) for kernel netfilter processing.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-31405Same product: Linux Linux Kernel
CVE-2026-31636Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-31613Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2026-23187Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel
CVE-2025-71231Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.17 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the Linux kernel to remediate the specific out-of-bounds read vulnerability in nf_conntrack_h323 DecodeQ931() function.

prevent

Disabling unnecessary kernel modules like nf_conntrack_h323 prevents loading and execution of the vulnerable H.323 connection tracking code.

prevent

Enforces validation of information inputs such as 16-bit lengths in H.323 packet processing to prevent underflow and out-of-bounds reads from zero-length UserUserIE fields.

References