{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23457", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.020Z", "datePublished": "2026-04-03T15:15:38.193Z", "dateUpdated": "2026-05-11T22:07:21.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:21.559Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_sip.c"], "versions": [{"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "ed81b6a7012485acdb9c6c80735a0b7d8e5e1873", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "b75209debb9adab287b3caa982f77788c1e15027", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "528b4509c9dfc272e2e92d811915e5211650d383", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "75fcaee5170e7dbbee778927134ef2e9568b4659", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "865dba58958c3a86786f89a501971ab0e3ec6ba9", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "d4f17256544cc37f6534a14a27a9dec3540c2015", "status": "affected", "versionType": "git"}, {"version": "f5b321bd37fbec9188feb1f721ab46a5ac0b35da", "lessThan": "fbce58e719a17aa215c724473fd5baaa4a8dc57c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netfilter/nf_conntrack_sip.c"], "versions": [{"version": "2.6.34", "status": "affected"}, {"version": "0", "lessThan": "2.6.34", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873"}, {"url": "https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f"}, {"url": "https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027"}, {"url": "https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383"}, {"url": "https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659"}, {"url": "https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9"}, {"url": "https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015"}, {"url": "https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c"}], "title": "netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E40FDCE0-F435-4862-9BEF-B0C980697894", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length."}], "id": "CVE-2026-23457", "lastModified": "2026-05-26T14:40:03.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:32.473", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/528b4509c9dfc272e2e92d811915e5211650d383"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/75fcaee5170e7dbbee778927134ef2e9568b4659"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/865dba58958c3a86786f89a501971ab0e3ec6ba9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b75209debb9adab287b3caa982f77788c1e15027"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cd1b7403ec835f8a0b3f1f7e68ac26af2cb1e42f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d4f17256544cc37f6534a14a27a9dec3540c2015"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed81b6a7012485acdb9c6c80735a0b7d8e5e1873"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fbce58e719a17aa215c724473fd5baaa4a8dc57c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()", "id": "2454800", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454800"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-681", "details": ["A flaw was found in the Linux kernel's netfilter subsystem, specifically within the `nf_conntrack_sip` module. This vulnerability arises from an integer truncation error when processing the `Content-Length` header in Session Initiation Protocol (SIP) messages. On 64-bit systems, large `Content-Length` values are silently truncated, causing the system to misinterpret the boundary of SIP messages. This can lead to the incorrect parsing of network traffic, potentially allowing an attacker to bypass security policies or trigger unintended processing of data."], "name": "CVE-2026-23457", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23457\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23457\nhttps://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,b75209debb9adab287b3caa982f77788c1e15027)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,528b4509c9dfc272e2e92d811915e5211650d383)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,75fcaee5170e7dbbee778927134ef2e9568b4659)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,865dba58958c3a86786f89a501971ab0e3ec6ba9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,d4f17256544cc37f6534a14a27a9dec3540c2015)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[f5b321bd37fbec9188feb1f721ab46a5ac0b35da,fbce58e719a17aa215c724473fd5baaa4a8dc57c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.34"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.34)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:37:45.055286+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that changes the clen variable to unsigned long and rejects Content\u2011Length values that exceed the remaining TCP payload.", "Upgrade the Linux kernel to a version that includes this fix (e.g., the latest stable or distribution\u2011specific update with the merged changes).", "If an update is not yet available, consider temporarily disabling SIP support in nf_conntrack or filtering SIP traffic with a firewall to block packets containing excessively large Content\u2011Length headers."], "summary": {"action": "Apply patch", "impact": "Denial of Service via SIP parsing error"}, "threat_synthesis": {"affected_systems": "The issue is present in all Linux kernel builds that include the nf_conntrack_sip module and have not incorporated the upstream fix. No specific kernel version range is listed, so the vulnerability applies to all affected releases before the merge of the patch.", "description_and_impact": "The flaw is in the Linux kernel\u2019s netfilter nf_conntrack_sip module, where the SIP Content-Length header is parsed with simple_strtoul() and the result is stored in an unsigned int. On 64\u2011bit systems, values larger than 32\u2011bit unsigned limits are silently truncated, leading the parser to miscompute message boundaries.\nAn attacker can send a Content-Length value above 2^32, causing the module to treat trailing data as a second SIP message and forward it to the SDP parser. This misprocessing can exhaust resources or corrupt state, causing a denial of service or unpredictable SIP handling in applications that rely on the kernel. The weakness is an integer truncation (CWE\u2011681).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.6, indicating high severity. EPSS indicates a very low but non\u2011zero exploitation probability (<\u202f1\u202f%). The flaw is not listed in the CISA KEV catalog. An attacker can exploit it over the network by sending crafted SIP packets containing an oversized Content-Length header. No local privileges are required and the attack path is straightforward, involving only the reception of malformed SIP traffic to a vulnerable kernel."}}}}, "created": "2026-04-03T21:13:41.344320+00:00", "updated": "2026-04-28T16:45:06.177359+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}