netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()_CVE-2026-23457

8.6 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends. The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.

Basic Information

ID CVE-2026-23457

Source Linux

Published Apr 3, 2026 at 15:15

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version f5b321bd37fbec9188feb1f721ab46a5ac0b35da

Affected Versions Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da
Linux Linux 2.6.34

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen.  On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends.  The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length.",
    "published": "2026-04-03T15:15:38.193Z",
    "modified": "2026-04-27T14:02:35.826Z",
    "type": "cve",
    "title": "netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873\nhttps://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f\nhttps://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027\nhttps://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383\nhttps://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659\nhttps://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9\nhttps://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015\nhttps://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c",
    "id": "CVE-2026-23457",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux f5b321bd37fbec9188feb1f721ab46a5ac0b35da\nLinux Linux 2.6.34",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply