{ "threat_severity" : "Moderate", "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()", "id" : "2454800", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454800" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-681", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length.", "A flaw was found in the Linux kernel's netfilter subsystem, specifically within the `nf_conntrack_sip` module. This vulnerability arises from an integer truncation error when processing the `Content-Length` header in Session Initiation Protocol (SIP) messages. On 64-bit systems, large `Content-Length` values are silently truncated, causing the system to misinterpret the boundary of SIP messages. This can lead to the incorrect parsing of network traffic, potentially allowing an attacker to bypass security policies or trigger unintended processing of data." ], "statement" : "Truncating Content-Length to 32 bits mis-positions SIP message boundaries so trailing bytes may be parsed as a second message through SDP handling. Requires SIP traffic through the conntrack helper; the effect is parser confusion and possible policy bypass, not a classic buffer overflow.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23457\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23457\nhttps://lore.kernel.org/linux-cve-announce/2026040318-CVE-2026-23457-e7f6@gregkh/T" ], "name" : "CVE-2026-23457", "mitigation" : { "value" : "To mitigate this issue, prevent the nf_conntrack_sip module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }