CVE-2026-23457

HIGH

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.

Scores

CVSS v3 8.6
EPSS 0.0043
EPSS Percentile 35.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Details

Status published
Products (28)
linux/Kernel 2.6.34 - 5.10.253linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.167linux
linux/Kernel 6.13.0 - 6.18.20linux
linux/Kernel 6.19.0 - 6.19.10linux
linux/Kernel 6.2.0 - 6.6.130linux
linux/Kernel 6.7.0 - 6.12.78linux
Linux/Linux < 2.6.34
Linux/Linux 2.6.34
Linux/Linux 5.10.253 - 5.10.*
... and 18 more
Published Apr 03, 2026
Tracked Since Apr 03, 2026