Bug 2454800 (CVE-2026-23457) - CVE-2026-23457 kernel: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
Summary: CVE-2026-23457 kernel: netfilter: nf_conntrack_sip: fix Content-Length u32 tr...
Keywords:
Status: NEW
Alias: CVE-2026-23457
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-03 16:01 UTC by OSIDB Bzimport
Modified: 2026-04-03 19:48 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-03 16:01:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()

sip_help_tcp() parses the SIP Content-Length header with
simple_strtoul(), which returns unsigned long, but stores the result in
unsigned int clen.  On 64-bit systems, values exceeding UINT_MAX are
silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,
causing the parser to miscalculate where the current message ends.  The
loop then treats trailing data in the TCP segment as a second SIP
message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of
simple_strtoul(), and reject Content-Length values that exceed the
remaining TCP payload length.
Comment 1 Jon Moroney 2026-04-03 19:47:09 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.