CVE-2026-23457

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()<br /> <br /> sip_help_tcp() parses the SIP Content-Length header with<br /> simple_strtoul(), which returns unsigned long, but stores the result in<br /> unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are<br /> silently truncated before computing the SIP message boundary.<br /> <br /> For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,<br /> causing the parser to miscalculate where the current message ends. The<br /> loop then treats trailing data in the TCP segment as a second SIP<br /> message and processes it through the SDP parser.<br /> <br /> Fix this by changing clen to unsigned long to match the return type of<br /> simple_strtoul(), and reject Content-Length values that exceed the<br /> remaining TCP payload length.