External risk intelligence

Linux kernel vulnerability may allow attackers to gain control of your systems

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-23455

An external attacker could disrupt Linux kernel operations by sending a malformed network packet. This could cause outages, impacting business services.

3Halo Surface Signal

Out-of-bounds Read

Linux Kernel

2.6.17 to before 5.10.2535.11 to before 5.15.2035.16 to before 6.1.1676.2 to before 6.6.1306.7 to before 6.12.786.13 to before 6.18.206.19 to before 6.19.107.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-23455

The vulnerability is in the Linux kernel netfilter H.323 connection tracking module. H.323 is a protocol for multimedia communications. While not exposed on standard Linux hosts, the module is often enabled on edge devices, firewalls, or VoIP gateways that process H.323 traffic, making remote reachability plausible in specific network infrastructure deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in the Linux kernel's netfilter component could allow an attacker to cause a system to crash or leak sensitive information. It affects how the system handles specific network traffic related to multimedia communications.

  • Critical vulnerability in network processing.
  • Potential for system crashes or information leaks.
  • Could be exploited by specially crafted network packets.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this by sending specially crafted H.323 network traffic. This traffic would target the Linux kernel's netfilter module, specifically the nf_conntrack_h323 component, to trigger an out-of-bounds read. Successful exploitation could lead to a denial-of-service or potentially code execution.

  • Network traffic targeting H.323.
  • Requires vulnerable kernel module.
  • Zero-length indicator triggers error.

Live Threat

Current exploitation, exposure, and threat context

This Linux kernel vulnerability in netfilter's H.323 connection tracking module allows for an out-of-bounds read due to improper length handling in the DecodeQ931 function. While the module is not always enabled, it is present on devices like firewalls and VoIP gateways, making exploitation possible in targeted network environments.

  • No known public exploits.
  • Not listed in KEV.
  • Recently patched.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching systems running affected Linux kernel versions, especially those handling H.323 traffic. If immediate patching is not possible, consider network-level filtering or disabling the `nf_conntrack_h323` module to mitigate the risk of remote code execution.

  • Patch affected Linux kernel versions.
  • Isolate or disable `nf_conntrack_h323` module.
  • Monitor for exploitation attempts.

Frequently asked questions

What is the Linux kernel's netfilter component and what is it used for?

The Linux kernel's netfilter component is a framework that allows various network-related operations to be performed on network packets as they pass through the kernel. It's used for tasks such as packet filtering, network address translation (NAT), and packet mangling, forming the basis for firewalls and other network security functions.

What weakness class does CVE-2026-23455 fall under?

CVE-2026-23455 is an out-of-bounds read vulnerability, categorized under CWE-125. This means that a program attempts to read data from an incorrect memory location, which can lead to system instability or information disclosure.

How can an attacker trigger the vulnerability in CVE-2026-23455?

An attacker can trigger this vulnerability by sending specially crafted H.323 network traffic. This traffic targets the nf_conntrack_h323 module within the Linux kernel. The bug is specifically triggered when a zero-length indicator is encountered in the H.323 protocol's Q.931 decoding process, leading to an error.

Who should be concerned about CVE-2026-23455 based on Halo Surface Signal?

Organizations running Linux kernel versions with the netfilter H.323 connection tracking module enabled should be concerned. According to Halo Surface Signal, this vulnerability is classified as external, meaning it can be reached from the internet, particularly on edge devices, firewalls, or VoIP gateways processing H.323 traffic.

What is the first step to respond to CVE-2026-23455?

The primary response is to update the Linux kernel to a patched version. If immediate patching is not feasible, consider mitigating the risk by disabling the `nf_conntrack_h323` module or implementing network-level filtering to block malicious H.323 traffic.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified