Cyber Resilience

CVE-2026-23457

High

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0037 29.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23457 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23457 is a vulnerability in the Linux kernel's netfilter nf_conntrack_sip subsystem, specifically in the sip_help_tcp() function. This function parses the SIP Content-Length header using simple_strtoul(), which returns an unsigned long, but stores the result in an unsigned int variable named clen. On 64-bit systems, Content-Length values exceeding UINT_MAX are silently truncated, leading to incorrect calculation of the SIP message boundary. For instance, a Content-Length of 4294967328 (2^32 + 32) truncates to 32, causing the parser to treat trailing data in the TCP segment as a separate SIP message and process it through the SDP parser.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). By sending crafted SIP messages over TCP with oversized Content-Length headers, attackers can trigger truncation and subsequent misparsing, potentially resulting in limited confidentiality and integrity impacts alongside high availability disruption, such as kernel crashes or denial of service in nf_conntrack processing.

The provided references point to stable kernel patch commits that address the issue by changing the clen variable to unsigned long to match simple_strtoul()'s return type and adding a check to reject Content-Length values exceeding the remaining TCP payload length. Security practitioners should apply these upstream fixes from the listed kernel stable repositories to mitigate the vulnerability.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit…

more

systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network exploitation of SIP parsing flaw in kernel conntrack enables remote service exploitation and system/application DoS via crafted packets.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31393Same product: Linux Linux Kernel
CVE-2026-31682Same product: Linux Linux Kernel
CVE-2026-31501Same product: Linux Linux Kernel
CVE-2026-31657Same product: Linux Linux Kernel
CVE-2026-31448Same product: Linux Linux Kernel
CVE-2024-57791Same product: Linux Linux Kernel
CVE-2026-23456Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31626Same product: Linux Linux Kernel
CVE-2026-31676Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.34 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of Linux kernel patches that fix Content-Length truncation in nf_conntrack_sip.

prevent

Requires validation of SIP Content-Length headers to match data types and not exceed TCP payload lengths, preventing truncation and misparsing.

prevent

Enforces secure kernel configuration settings to disable nf_conntrack_sip module if unneeded, avoiding exposure to the SIP parsing flaw.

References