CVE-2026-23456
Published: 03 April 2026
Summary
CVE-2026-23456 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23456 is an out-of-bounds read vulnerability in the Linux kernel's netfilter nf_conntrack_h323 helper. The issue occurs in the decode_int() function during the CONS case, where get_bits() reads a 2-bit length value, but the subsequent get_uint() call reads 1-4 bytes without verifying that sufficient data remains in the buffer. A malformed H.323/RAS packet can trigger a 1-4 byte slab-out-of-bounds read. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. By sending a specially crafted H.323/RAS packet, an attacker can cause the kernel to perform an out-of-bounds read, potentially leading to a denial of service through a kernel crash due to the high availability impact, along with limited confidentiality exposure from the read operation.
Mitigation involves applying kernel patches that add a boundary check for the required number of bytes after get_bits() and before calling get_uint(). Relevant stable backports are available in the following commits: https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a, https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d, https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20, https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb, and https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18712
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len…
more
bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in network packet processing enables remote crafted-packet kernel crash (DoS) via system exploitation; limited info leak does not map to additional techniques.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through kernel patching directly implements the missing boundary check to prevent the OOB read in nf_conntrack_h323.
Least functionality by disabling the nf_conntrack_h323 helper module when H.323/RAS is not required eliminates exposure to malformed packets triggering the vulnerability.
Information input validation enforces bounds checking on network packet data, addressing the core issue of insufficient buffer length verification in decode_int().