Cyber Resilience

CVE-2026-23456

High

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0044 35.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23456 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23456 is an out-of-bounds read vulnerability in the Linux kernel's netfilter nf_conntrack_h323 helper. The issue occurs in the decode_int() function during the CONS case, where get_bits() reads a 2-bit length value, but the subsequent get_uint() call reads 1-4 bytes without verifying that sufficient data remains in the buffer. A malformed H.323/RAS packet can trigger a 1-4 byte slab-out-of-bounds read. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. By sending a specially crafted H.323/RAS packet, an attacker can cause the kernel to perform an out-of-bounds read, potentially leading to a denial of service through a kernel crash due to the high availability impact, along with limited confidentiality exposure from the read operation.

Mitigation involves applying kernel patches that add a boundary check for the required number of bytes after get_bits() and before calling get_uint(). Relevant stable backports are available in the following commits: https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a, https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d, https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20, https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb, and https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len…

more

bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in network packet processing enables remote crafted-packet kernel crash (DoS) via system exploitation; limited info leak does not map to additional techniques.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-49163Same product: Linux Linux Kernel
CVE-2026-23102Same product: Linux Linux Kernel
CVE-2024-41935Same product: Linux Linux Kernel
CVE-2022-49706Same product: Linux Linux Kernel
CVE-2025-21794Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2022-49674Same product: Linux Linux Kernel
CVE-2022-49444Same product: Linux Linux Kernel
CVE-2022-49401Same product: Linux Linux Kernel
CVE-2025-21719Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.17 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through kernel patching directly implements the missing boundary check to prevent the OOB read in nf_conntrack_h323.

prevent

Least functionality by disabling the nf_conntrack_h323 helper module when H.323/RAS is not required eliminates exposure to malformed packets triggering the vulnerability.

prevent

Information input validation enforces bounds checking on network packet data, addressing the core issue of insufficient buffer length verification in decode_int().

References