CVE-2026-23457
Published: 03 April 2026
Summary
CVE-2026-23457 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23457 is a vulnerability in the Linux kernel's netfilter nf_conntrack_sip subsystem, specifically in the sip_help_tcp() function. This function parses the SIP Content-Length header using simple_strtoul(), which returns an unsigned long, but stores the result in an unsigned int variable named clen. On 64-bit systems, Content-Length values exceeding UINT_MAX are silently truncated, leading to incorrect calculation of the SIP message boundary. For instance, a Content-Length of 4294967328 (2^32 + 32) truncates to 32, causing the parser to treat trailing data in the TCP segment as a separate SIP message and process it through the SDP parser.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). By sending crafted SIP messages over TCP with oversized Content-Length headers, attackers can trigger truncation and subsequent misparsing, potentially resulting in limited confidentiality and integrity impacts alongside high availability disruption, such as kernel crashes or denial of service in nf_conntrack processing.
The provided references point to stable kernel patch commits that address the issue by changing the clen variable to unsigned long to match simple_strtoul()'s return type and adding a check to reject Content-Length values exceeding the remaining TCP payload length. Security practitioners should apply these upstream fixes from the listed kernel stable repositories to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18714
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit…
more
systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of SIP parsing flaw in kernel conntrack enables remote service exploitation and system/application DoS via crafted packets.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely application of Linux kernel patches that fix Content-Length truncation in nf_conntrack_sip.
Requires validation of SIP Content-Length headers to match data types and not exceed TCP payload lengths, preventing truncation and misparsing.
Enforces secure kernel configuration settings to disable nf_conntrack_sip module if unneeded, avoiding exposure to the SIP parsing flaw.