CVE-2026-52986

Source
https://cve.org/CVERecord?id=CVE-2026-52986
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52986.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52986
Downstream
Published
2026-06-24T16:29:00.752Z
Modified
2026-07-08T08:05:27.321242433Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
netfilter: nf_conntrack_sip: don't use simple_strtoul
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntracksip: don't use simple_strtoul

Replace unsafe port parsing in epaddrlen(), ctsipparseheaderuri(), and ctsipparserequest() with a new sipparseport() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings.

The previous code dereferenced pointers without bounds checks after sipparseaddr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed.

Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes:

  • Bail out if number is > UINT_MAX and indicate a failure, same for too long sequences. While we do accept 05535 as port 5535, we will not accept e.g. 'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261, we should restrict this to not waste cycles when presented with malformed packets with 64k '0' characters.

  • Force base 10 in ctsipparsenumericalparam(). This is used to fetch 'expire=' and 'rports='; both are expected to use base-10.

  • In nfnatsip.c, only accept the parsed value if its within the 1k-64k range.

  • epaddrlen now returns 0 if the port is invalid, as it already does for invalid ip addresses. This is intentional. nfconntrack_sip performs lots of guesswork to find the right parts of the message to parse. Being stricter could break existing setups. Connection tracking helpers are designed to allow traffic to pass, not to block it.

Based on an earlier patch from Jenny Guanni Qu qguanni@gmail.com.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52986.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
05e3ced297fe755093140e7487e292fb7603316e
Fixed
8cd0358379570003659186706e077929d6930c40
Fixed
9c6afcb1c3cbb2c0da65b8515ac14d7273872f84
Fixed
b3264c977e79d8a25778d4fd11520f00fea1329c
Fixed
ea2ecd29b8f4433e52607192ca91084f95787ca0
Fixed
9f69c323ae0ab517e595c2cc74e0ae0d9d085611
Fixed
7df9863bf538a626e8a684e59cb2c43eac0ef3c8
Fixed
523762e3b6933fff81f01dfa3c60c0774044cdab
Fixed
8cf6809cddcbe301aedfc6b51bcd4944d45795f6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52986.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.26
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52986.json"