Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-43233— netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

CVSS 8.2 · High EPSS 0.07% · P21

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinuxec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041affected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< 2a3aac4205e7d2f1aca2e3827de8cdd517d36c4aaffected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< 81f2fc5b0d0cf4696146f00f837596d10b92deadaffected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< 7ef82863d42261817a6394c6c881bd6757a70f16affected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< 53d32735d77ab56cc3fc7bd53a7d099418f19be1affected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< f0a83d0a4b7c127d32ac06d607a9214937716129affected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< 35f1943d242e1b9f0b6e91c0c93bfb293a9f8224affected
ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa< baed0d9ba91d4f390da12d5039128ee897253d60affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43233

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len().
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于decode_choice函数中边界检查使用未初始化的len变量,可能导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa ~ bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041 -
LinuxLinux 4.15 -

II. Public POCs for CVE-2026-43233

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43233

登录查看更多情报信息。
Patch · 8

Same Patch Batch · Linux · 2026-05-06 · 225 CVEs total

CVE-2026-431869.8 CRITICALipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
CVE-2026-431259.8 CRITICALdlm: validate length in dlm_search_rsb_tree
CVE-2026-431859.8 CRITICALksmbd: fix signededness bug in smb_direct_prepare_negotiation()
CVE-2026-431989.8 CRITICALtcp: fix potential race in tcp_v6_syn_recv_sock()
CVE-2026-432089.8 CRITICALnet: do not pass flow_id to set_rps_cpu()
CVE-2026-431149.4 CRITICALnetfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
CVE-2026-431179.1 CRITICALbtrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
CVE-2026-431979.1 CRITICALnetconsole: avoid OOB reads, msg is not nul-terminated
CVE-2026-430839.1 CRITICALnet: ioam6: fix OOB and missing lock
CVE-2026-431878.8 HIGHxfs: delete attr leaf freemap entries when empty
CVE-2026-432838.8 HIGHnet: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
CVE-2026-432158.8 HIGHcifs: Fix locking usage for tcon fields
CVE-2026-431768.8 HIGHwifi: rtw89: pci: validate release report content before using for RTL8922DE
CVE-2026-431728.8 HIGHwifi: iwlwifi: fix 22000 series SMEM parsing
CVE-2026-431138.8 HIGHwifi: wl1251: validate packet IDs before indexing tx_frames
CVE-2026-432498.8 HIGH9p/xen: protect xen_9pfs_front_free against concurrent calls
CVE-2026-432398.8 HIGHsmb: client: prevent races in ->query_interfaces()
CVE-2026-431588.8 HIGHxfs: fix freemap adjustments when adding xattrs to leaf blocks
CVE-2026-431128.8 HIGHfs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
CVE-2026-431108.8 HIGHwifi: brcmfmac: validate bsscfg indices in IF events

Showing top 20 of 225 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43233

No comments yet

Leave a comment