CVE-2026-23455
Published: 03 April 2026
Summary
CVE-2026-23455 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23455 is an out-of-bounds read vulnerability in the Linux kernel's netfilter nf_conntrack_h323 subsystem, specifically within the DecodeQ931() function. The issue arises when processing the UserUserIE code path: the function reads a 16-bit length from the packet, decrements it by 1 to account for the protocol discriminator byte, and passes the result to DecodeH323_UserInformation(). If the encoded length is zero, the decrement causes an underflow to -1, interpreted as a large unsigned value, leading to an out-of-bounds read. It affects Linux kernel versions with the nf_conntrack_h323 module loaded for H.323 protocol connection tracking, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability over the network by sending crafted H.323 packets containing a zero-length UserUserIE field. No user interaction or privileges are required, and the attack has low complexity. Successful exploitation triggers the out-of-bounds read, potentially resulting in high-impact confidentiality loss through information disclosure or high-impact availability disruption, such as kernel crashes or denial of service.
Mitigation requires updating to a patched Linux kernel version. The fix adds a check in DecodeQ931() to ensure the length remains positive after decrementing, as implemented in stable kernel commits including https://git.kernel.org/stable/c/2121f5fbe88daff0f1fc5bc47d359426c74b86b0, https://git.kernel.org/stable/c/495e97af9e7249ee02b72bb1d0848a6efc3700f4, https://git.kernel.org/stable/c/633e8f87dad32263f6a57dccdb873f042c062111, https://git.kernel.org/stable/c/65fa92f79677858b14b9e4b7275f26639afe2710, and https://git.kernel.org/stable/c/9d00fe7d6d7c5b5f1065a6e042b54f2e44bd6df8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18711
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol…
more
discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation via crafted H.323 packets directly matches T1190 (Exploit Public-Facing Application) for kernel netfilter processing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the Linux kernel to remediate the specific out-of-bounds read vulnerability in nf_conntrack_h323 DecodeQ931() function.
Disabling unnecessary kernel modules like nf_conntrack_h323 prevents loading and execution of the vulnerable H.323 connection tracking code.
Enforces validation of information inputs such as 16-bit lengths in H.323 packet processing to prevent underflow and out-of-bounds reads from zero-length UserUserIE fields.