In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfconntrackh323: fix OOB read in decode_int() CONS case
In decodeint(), the CONS case calls getbits(bs, 2) to read a length value, then calls getuint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for getbits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.
Add a boundary check for len bytes after getbits() and before getuint().
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23456.json",
"cna_assigner": "Linux"
}