CVE-2026-23457

HIGH

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.

References (8)

Core 8

Scores

CVSS v3 8.6
EPSS 0.0007
EPSS Percentile 22.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Details

Status published
Products (19)
Linux/Linux < 2.6.34
Linux/Linux 2.6.34
Linux/Linux 5.10.253 - 5.10.*
Linux/Linux 5.15.203 - 5.15.*
Linux/Linux 6.1.167 - 6.1.*
Linux/Linux 6.12.78 - 6.12.*
Linux/Linux 6.18.20 - 6.18.*
Linux/Linux 6.19.10 - 6.19.*
Linux/Linux 6.6.130 - 6.6.*
Linux/Linux 7.0
... and 9 more
Published Apr 03, 2026
Tracked Since Apr 03, 2026